I received multiple warnings like this on one Openlitespeed server.
Time: Wed Jun 12 03:11:57 2024 +0700
File: /tmp/lshttpd/lsphp83.sock.10640.pid
Reason: Script, starts with #!
Owner: apache:apache (989:989)
Action: No action taken
The pid file has content such as “?5?O?hf?=,*3hf”
Tried to search with the socket ID (10640) from lsof, and got multiple PIDs. Searched with those PIDs and the timestamps from the warnings, got several processes. However, those CSS, TTF, Webp… files seem to be normal, not including any malware.
The server hosts for several busy sites, so they have traffic all the time. However, those warnings are not happening all the time.
Any idea how to debug and find out the reason for those warnings, please?
Thank you