Checking `bindshell'... INFECTED (PORTS: 465 45454)
Hello,
Yesterday cPanel makes an update:
Package dhclient.x86_64 12:4.1.1-53.P1.el6.centos.3 will be updated
Package dhclient.x86_64 12:4.1.1-53.P1.el6.centos.4 will be an update
Package dhcp-common.x86_64 12:4.1.1-53.P1.el6.centos.3 will be updated
Package dhcp-common.x86_64 12:4.1.1-53.P1.el6.centos.4 will be an update
In my server I have chkrootkit run every day. In the same time with the update automatically the chkrootkit made the scan and for the first time I see this result:
I know the issue with the port 465 as false positive because exim listen there! The problem is that today I have port 45454!! I run these commands:
But the port isn't there open or something... Also today with the cPanel update automatically I have the follow update:
As you can see I run litespeed. Please can help me to understand if that is a false positive or something goes too bad? I can't find something listening on that port. The cPanel at the time of this update is possible for some reason to listen to port 45454 and then stops? Any help is highly appreciated!!
Checking `bindshell'... INFECTED (PORTS: 465 45454)I know the issue with the port 465 as false positive because exim listen there! The problem is that today I have port 45454!! I run these commands:
/usr/sbin/lsof -P -n -i | grep 45454
netstat -an | grep 45454
lsof -i :45454But the port isn't there open or something... Also today with the cPanel update automatically I have the follow update:
[comodo_litespeed] COMODO ModSecurity LiteSpeed Rule Set
archive_url | https://waf.comodo.com/api/cpanel_litespeed_vendor
cpanel_provided | 0
description | COMODO ModSecurity Rules for LiteSpeed
enabled | 1
inst_dist | comodo-litespeed-1165
installed | 1
installed_from | https://waf.comodo.com/doc/meta_comodo_litespeed.yaml
name | COMODO ModSecurity LiteSpeed Rule Set
path | /etc/apache2/conf.d/modsec_vendor_configs/comodo_litespeed
report_url | https://waf.comodo.com/api/cpanel_feedback?source=1&rule_set=1.165
supported_versions | (6)
vendor_id | comodo_litespeed
vendor_url | https://waf.comodo.comAs you can see I run litespeed. Please can help me to understand if that is a false positive or something goes too bad? I can't find something listening on that port. The cPanel at the time of this update is possible for some reason to listen to port 45454 and then stops? Any help is highly appreciated!!
-
[QUOTE="net@work, post: 2556527, member: 813191">Yesterday cPanel makes an update: Package dhclient.x86_64 12:4.1.1-53.P1.el6.centos.3 will be updated Package dhclient.x86_64 12:4.1.1-53.P1.el6.centos.4 will be an update Package dhcp-common.x86_64 12:4.1.1-53.P1.el6.centos.3 will be updated Package dhcp-common.x86_64 12:4.1.1-53.P1.el6.centos.4 will be an update
Hello, Those updates actually come from your operating system as opposed to from cPanel & WHM. You can see a log of which packages are updated through YUM at: /var/log/yum.log [QUOTE="net@work, post: 2556527, member: 813191">I can't find something listening on that port. The cPanel at the time of this update is possible for some reason to listen to port 45454 and then stops?
Are you using the PortSentry or klaxon application? Chkrootkit notes the following on their FAQ page: [QUOTE] I'm running PortSentry/klaxon. What's wrong with the bindshell test? If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).
Thank you.0 -
Hello, The yum packages that are updated are: dhcp-common-4.1.1-53.P1.el6.centos.4.x86_64 dhclient-4.1.1-53.P1.el6.centos.4.x86_64
No I don't have PortSentry or klaxon application! Yesterday I check again with chkrootkit and only port 465 was found as bindshell! Also today (as yesterday) all seems are ok and this specific port not exist! The only port that I see (except those I now) is one port that UDP litespeed listen to.lsof -i :42743 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME litespeed 15373 nobody 77u IPv4 yyyyyyyyy 0t0 UDP *:42743
Is possible yesterday litespeed open port 45454 and chkrootkit notice me about? As I check litespeed open UDP port randomly... I am not sure why that port is open but is the only port with the command netstat -tulpen OR netstat -tanp that I can found! Also this particular port doesn't have the LISTEN part and I don't have it in csf firewall... Is something else that I can do to find out if something malicious happening? I check and scan entire server, logs etc and nothing unusual... It's too strange! It's something else that I can do to investigate it further? Is possible for some reason chkrootkit show me false that port? Any help is highly appreciated! Thank you!0 -
Hello @net@work, I recommend browsing through /usr/local/apache/logs/access_log, /usr/local/apache/logs/error_log, and through the domain access logs in /usr/local/apache/domlogs/ to see if you notice anything related to that port near the time that process was running. Additionally, I see you've opened a thread on the LiteSpeed support forums at: Litespeed open second UDP port automatically without notification? Please ensure to let us know the outcome should you receive helpful information there. Thank you. 0 -
Hello @cPanelMichael , I check all the logs and the only one that I can say is possible to have something is: 104.128.xxx.xxx - - [TIME] "GET / HTTP/1.1" 200 111 "-" "www.probethenet.com scanner" 104.128.xxx.xxx - - [TIME] "HEAD /redirect.php HTTP/1.1" 404 0 "-" "www.probethenet.com scanner"
Is possible that scan trigger the chkrootkit? Also at the same time:TIME [ALERT] [Child: 14388] LiteSpeed/Version Enterprise starts successfully!
The same time with the above the chkrootkit make the daily cron... Of course I will update here after the information of "random"0 -
[QUOTE="net@work, post: 2557407, member: 813191">Of course I will update here after the information of "random" WpW: DNS Prefetch with LiteSpeed Cache ? LiteSpeed Blog Thank you. 0 -
Hello @cPanelMichael , First of all thank you for the quick reply and the informative links! Yes in 1 site on my server I have DNS Prefetch feature with LiteSpeed Cache! So as the litespeed staff say should not cause any security issue. Seems that chkrootkit inform me that particular day for the port 45454 because of UDP random port... Because from the logs etc until now I can't find something else except UDP random ports of litespeed... Also from that day chkrootkit never inform me for bindshell except the usual 465 port. I think a randomness of changed port trigger that alert. I'll keep it closely and I hope nothing malicious really happened as I sayed until now nothing found. Thank you for all! :) 0
Please sign in to leave a comment.
Comments
6 comments