Origin of a root access
Few days ago, I saw this in `bash_history` while looking for something else:
[QUOTE]539 2021-05-17 03:54:07 yum update php-libpng
540 2021-05-17 09:18:05 yum install john
541 2021-05-17 09:18:35 yum install john-the-ripper
542 2021-05-17 09:18:46 sudo yum install epel-release
543 2021-05-17 09:18:56 sudo yum install snapd
544 2021-05-17 09:19:03 sudo systemctl enable --now snapd.socket
545 2021-05-17 09:19:09 sudo ln -s /var/lib/snapd/snap /snap
546 2021-05-17 09:19:14 sudo snap install john-the-ripper
547 2021-05-17 09:19:58 unshadow /etc/passwd /etc/shadow > mypasswd.txt
548 2021-05-17 09:20:05 john
549 2021-05-17 09:21:19 unshadow
550 2021-05-17 09:21:27 john unshadow
551 2021-05-17 09:21:47 /usr/sbin/unshadow
552 2021-05-17 09:22:43 ls
553 2021-05-17 09:22:50 cd /etc/john*
554 2021-05-17 17:01:30 ( chkconfig cxswatch on; sed -i "s/cxswatch:0 cxswatch:1/" /etc/chkserv.d/chkservd.conf; )
539 being MY last action on the server, connected as root by private key, and 554 being ConfigServer installing their stuff and making configurations. [QUOTE][root@phoebe www]# who -a d"marrage syst"me 2021-05-16 01:10 IDENTIFIANT tty1 2021-05-16 01:11 1934 id=tty1 niveau d'ex"cution 3 2021-05-16 01:11 root + pts/0 2021-05-19 11:12 . 2987011 (82.64.94.155) pts/1 2021-05-18 23:09 2565543 id=/1 term=0 sortie=0 pts/2 2021-05-17 01:31 790573 id=/2 term=0 sortie=0 pts/1 2021-05-18 19:52 2356257 id=ts/1 term=0 sortie=0 pts/2 2021-05-17 17:08 1251035 id=ts/2 term=0 sortie=0 pts/3 2021-05-17 17:08 1251107 id=ts/3 term=0 sortie=0 pts/4 2021-05-17 17:01 1431009 id=/4 term=0 sortie=0
[QUOTE] [root@phoebe www]# zgrep -h sshd /var/log/secure-20210516 /var/log/secure-20210517.gz | grep -F 'Accepted' # Truncated May 9 22:35:46 phoebe sshd[153013]: Accepted publickey for root from MY_HOME_IP May 10 11:34:26 phoebe sshd[498230]: Accepted publickey for root from MY_HOME_IP May 11 00:07:50 phoebe sshd[978883]: Accepted publickey for root from MY_HOME_IP May 11 21:53:27 phoebe sshd[2032266]: Accepted publickey for root from MY_HOME_IP May 11 22:42:17 phoebe sshd[2056997]: Accepted publickey for root from CPANEL_IP1 May 12 02:14:11 phoebe sshd[2165520]: Accepted publickey for root from CPANEL_IP1 May 12 03:19:42 phoebe sshd[2198215]: Accepted publickey for root from CPANEL_IP1 May 12 10:57:11 phoebe sshd[2445876]: Accepted publickey for root from MY_HOME_IP May 12 11:56:08 phoebe sshd[2479979]: Accepted publickey for root from CPANEL_IP2 May 13 18:30:27 phoebe sshd[3903110]: Accepted publickey for root from MY_HOME_IP May 14 17:25:36 phoebe sshd[694978]: Accepted publickey for root from MY_HOME_IP May 14 22:46:44 phoebe sshd[891802]: Accepted publickey for root from MY_HOME_IP May 15 09:34:00 phoebe sshd[1298613]: Accepted publickey for root from MY_HOME_IP May 15 21:17:01 phoebe sshd[1692601]: Accepted publickey for root from MY_HOME_IP May 16 00:45:29 phoebe sshd[1814485]: Accepted publickey for root from MY_HOME_IP May 16 01:00:54 phoebe sshd[7536]: Accepted publickey for root from MY_HOME_IP May 16 01:15:29 phoebe sshd[4596]: Accepted publickey for root from MY_HOME_IP May 17 11:56:56 phoebe sshd[1112647]: Accepted publickey for root from MY_HOME_IP May 17 16:35:06 phoebe sshd[1250904]: Accepted publickey for root from CONFIGSERVER May 17 16:35:22 phoebe sshd[1251035]: Accepted publickey for root from CONFIGSERVER May 17 16:35:26 phoebe sshd[1251107]: Accepted publickey for root from CONFIGSERVER
From where I'm standing, first the hacker couldn't get his hand on anything as he couldn't execute JTR, I changed passwords immediately but don't think it will prevent another attempt. But he seems to come out of nowhere! There is no SSH connection, there is no suspected IP nor public key, there is no sudo group in sudoers. Can someone give me a hint on where to look for an entry point please?
539 being MY last action on the server, connected as root by private key, and 554 being ConfigServer installing their stuff and making configurations. [QUOTE][root@phoebe www]# who -a d"marrage syst"me 2021-05-16 01:10 IDENTIFIANT tty1 2021-05-16 01:11 1934 id=tty1 niveau d'ex"cution 3 2021-05-16 01:11 root + pts/0 2021-05-19 11:12 . 2987011 (82.64.94.155) pts/1 2021-05-18 23:09 2565543 id=/1 term=0 sortie=0 pts/2 2021-05-17 01:31 790573 id=/2 term=0 sortie=0 pts/1 2021-05-18 19:52 2356257 id=ts/1 term=0 sortie=0 pts/2 2021-05-17 17:08 1251035 id=ts/2 term=0 sortie=0 pts/3 2021-05-17 17:08 1251107 id=ts/3 term=0 sortie=0 pts/4 2021-05-17 17:01 1431009 id=/4 term=0 sortie=0
[QUOTE] [root@phoebe www]# zgrep -h sshd /var/log/secure-20210516 /var/log/secure-20210517.gz | grep -F 'Accepted' # Truncated May 9 22:35:46 phoebe sshd[153013]: Accepted publickey for root from MY_HOME_IP May 10 11:34:26 phoebe sshd[498230]: Accepted publickey for root from MY_HOME_IP May 11 00:07:50 phoebe sshd[978883]: Accepted publickey for root from MY_HOME_IP May 11 21:53:27 phoebe sshd[2032266]: Accepted publickey for root from MY_HOME_IP May 11 22:42:17 phoebe sshd[2056997]: Accepted publickey for root from CPANEL_IP1 May 12 02:14:11 phoebe sshd[2165520]: Accepted publickey for root from CPANEL_IP1 May 12 03:19:42 phoebe sshd[2198215]: Accepted publickey for root from CPANEL_IP1 May 12 10:57:11 phoebe sshd[2445876]: Accepted publickey for root from MY_HOME_IP May 12 11:56:08 phoebe sshd[2479979]: Accepted publickey for root from CPANEL_IP2 May 13 18:30:27 phoebe sshd[3903110]: Accepted publickey for root from MY_HOME_IP May 14 17:25:36 phoebe sshd[694978]: Accepted publickey for root from MY_HOME_IP May 14 22:46:44 phoebe sshd[891802]: Accepted publickey for root from MY_HOME_IP May 15 09:34:00 phoebe sshd[1298613]: Accepted publickey for root from MY_HOME_IP May 15 21:17:01 phoebe sshd[1692601]: Accepted publickey for root from MY_HOME_IP May 16 00:45:29 phoebe sshd[1814485]: Accepted publickey for root from MY_HOME_IP May 16 01:00:54 phoebe sshd[7536]: Accepted publickey for root from MY_HOME_IP May 16 01:15:29 phoebe sshd[4596]: Accepted publickey for root from MY_HOME_IP May 17 11:56:56 phoebe sshd[1112647]: Accepted publickey for root from MY_HOME_IP May 17 16:35:06 phoebe sshd[1250904]: Accepted publickey for root from CONFIGSERVER May 17 16:35:22 phoebe sshd[1251035]: Accepted publickey for root from CONFIGSERVER May 17 16:35:26 phoebe sshd[1251107]: Accepted publickey for root from CONFIGSERVER
From where I'm standing, first the hacker couldn't get his hand on anything as he couldn't execute JTR, I changed passwords immediately but don't think it will prevent another attempt. But he seems to come out of nowhere! There is no SSH connection, there is no suspected IP nor public key, there is no sudo group in sudoers. Can someone give me a hint on where to look for an entry point please?
-
Try: last0 -
As @ffeingol said, the "last" command should give you output that looks like this: root pts/0 1.2.3.4 Mon May 3 10:25 - 06:06 (2+19:40) root pts/0 1.2.3.4 Mon Apr 26 22:19 - 17:07 (1+18:47) reboot system boot 3.10.0-1160.15.2 Mon Apr 26 22:18 - 10:34 (23+12:15) root pts/2 1.2.3.4 Fri Apr 23 16:10 - down (3+06:06) root pts/1 1.2.3.4 Fri Apr 23 16:02 - 18:16 (02:13)
Where "1.2.3.4" is the IP address of the user connecting to the server.0 -
Although, it's important to mention that no matter what, the machine is compromised and you should get moved to a new system as soon as you can. 0 -
@ffeingol @cPRex thanks for your replies, last didn't game me more than looking at secure logs. Reinstalling is a must, but if the ghost access from nowhere comes from an unknown vulnerability or something we're installing, we might install it again and come back to square one 0 -
While technically possible, if you use the Transfer Tool that is a secure method of moving the data between servers. If the compromised files were placed in a user account, then yes, those would also be moved. If you aren't able to find more details it might be a good idea to work with a professional security administrator to do a thorough evaluation of the machine. 0 -
If you aren't able to find more details it might be a good idea to work with a professional security administrator to do a thorough evaluation of the machine.
Do you, at cPanel, provide contacts to partners providing these type of consulting or services?0
Please sign in to leave a comment.
Comments
7 comments