Skip to main content

Suspicious domains in the Host Database

Comments

35 comments

  • Spirogg
    I recently saw these suspicious items in the "mysql" database name and the "user and "db" tables in the "Host" column: send.klaviyomsv.com huffingtonpost.co.za Are these domains and some other IPs normal here?

    is this your dedicated server? or shared or vps? do these IP's belong to you? do you know these domains huffingtonpost.co.za send.klaviyomsv.com are these your domains? or do you have users accounts with these domains - sub-domains? if its your server and not your ip's and users it is fishy. if shared I would contact hosting provider to check this
    0
  • Spirogg
    seems when you search send.klaviyomsv.com comes up as an email spam sender do you have any accounts that have this seems to be an email platform. maybe its sending spam emails, I would check the user's account
    0
  • cPRex Jurassic Moderator
    Could you confirm what table and database we're looking at? I wouldn't expect those to show up, but it's hard to say with the information we have.
    0
  • NabiKAZ
    is this your dedicated server? or shared or vps?

    It's VPS for shared hosting, and I'm admin with access root.
    do these IP's belong to you?

    These seem to be the server IPs of my previous years that are no longer available to me.
    do you know these domains huffingtonpost.co.za send.klaviyomsv.com are these your domains? or do you have users accounts with these domains - sub-domains?

    No, I do not know these domains and there are no clients or sites with these domains hosted on my server.
    do you have any accounts that have this seems to be an email platform. maybe its sending spam emails, I would check the user's account

    No, and I strongly oppose spam, and I will never allow a customer to install a spam panel on their site and send spam.
    Could you confirm what table and database we're looking at? I wouldn't expect those to show up, but it's hard to say with the information we have.

    As written above the image, the name of the database is mysql and this is the main database of the server in which the username and password of the access database of the accounts on the server are stored. Or, for example, access for the user's phpmyadmin and even remote access to the database. # cat /usr/local/cpanel/version 11.100.0.11 # mysql --version mysql Ver 15.1 Distrib 10.3.19-MariaDB, for Linux (x86_64) using readline 5.1
    0
  • cPRex Jurassic Moderator
    It sounds like there could be a potential security issue on your system. It might be best to open a ticket with our team so we can check this out.
    0
  • NabiKAZ
    The new thing I noticed is that every time when I create a new account, the "send.klaviyomsv.com" record access is immediately added to the "mysql" table name. Is this normal? How can I find out where this address is set?
    0
  • cPRex Jurassic Moderator
    Is that the hostname of the server?
    0
  • NabiKAZ
    Is that the hostname of the server?

    No never, I checked the "hotname" command again to make sure. I also checked "Networking Setup menu> Change Hostname" in WHM.
    0
  • cPRex Jurassic Moderator
    Do you see this name present in /etc/hosts possibly?
    0
  • NabiKAZ
    I checked, there is no trace of it in this file.
    0
  • cPRex Jurassic Moderator
    That's interesting - I don't have any other suggestions of where that could be, as those are the two most logical places for that to show up. It might be time for a massive grep of /etc/ to see if that name is listed in any configuration files. I did try looking through the code to see where MySQL determines the host values, but I wasn't able to find that so I'm wondering if that also comes from within MySQL. Searching all tables for that text string might give you some good information also.
    0
  • NabiKAZ
    The new thing I noticed is that every time when I create a new account, the "send.klaviyomsv.com" record access is immediately added to the "mysql" table name. Is this normal? How can I find out where this address is set?

    After one day, I checked the same account again! Strangely, there was no trace of "send.klaviyomsv.com" and it was replaced with the original hostname of my server !!! I re-created a new account that had "send.k..." but after less than an hour it changed back to my host server! But this did not happen with the old hosted accounts and there is still "send.k..."!
    0
  • NabiKAZ
    That's interesting - I don't have any other suggestions of where that could be, as those are the two most logical places for that to show up. It might be time for a massive grep of /etc/ to see if that name is listed in any configuration files. I did try looking through the code to see where MySQL determines the host values, but I wasn't able to find that so I'm wondering if that also comes from within MySQL. Searching all tables for that text string might give you some good information also.

    Incidentally, before you say it, I did it because it was time consuming, I ran it in the background and I got the result today. By this command: ``` grep -lir "send.klaviyomsv.com" ...... ``` I checked the paths: /etc, /usr, /var Result: ``` #/etc: nothing #/usr: /usr/local/cpanel/Cpanel/iContact.pm grep: /usr/share/cagefs-skeleton/proc/sys/fs/binfmt_misc: Too many levels of symbolic links grep: /usr/share/cagefs-skeleton/proc/sys/fs/datacycle/flush: Permission denied grep: /usr/share/cagefs-skeleton/proc/sys/net/ipv4/route/flush: Permission denied grep: /usr/share/cagefs-skeleton/proc/sys/net/ipv6/conf/all/stable_secret: Input/output error grep: /usr/share/cagefs-skeleton/proc/sys/net/ipv6/conf/default/stable_secret: Input/output error grep: /usr/share/cagefs-skeleton/proc/sys/net/ipv6/conf/eth0/stable_secret: Input/output error grep: /usr/share/cagefs-skeleton/proc/sys/net/ipv6/conf/lo/stable_secret: Input/output error grep: /usr/share/cagefs-skeleton/proc/sys/net/ipv6/route/flush: Permission denied grep: /usr/share/cagefs-skeleton/proc/sys/vm/compact_memory: Permission denied #/var: /var/cpanel/transfer_sessions/whmxfer.sqlite /var/cpanel/databases/grants_sh*****.cache /var/cpanel/databases/grants_sh*****.yaml /var/cpanel/databases/grants_ba*******.cache /var/cpanel/databases/grants_ba*******.yaml /var/cpanel/userhomes/cpanelphpmyadmin/sessions/sess_b909ddba************ /var/crash/127.0.0.1-2021-03-02-10:58:47/vmcore /var/crash/127.0.0.1-2021-06-21-17:21:46/vmcore grep: /var/log/dcpumon/toplog.1655092201: No such file or directory /var/log/secure /var/lib/mysql/mysql/db.MYI /var/lib/mysql/mysql/db.MYD /var/lib/mysql/mysql/user.MYI /var/lib/mysql/mysql/user.MYD ``` I just suspected the `/usr/local/cpanel/Cpanel/iContact.pm` file and checked it. Which is in two places in the file and next to the names of my main hosts: main server: I have three other servers that I also checked. On two servers, I came across two other strange addresses in the same place: server 1: server 2: And on the third server, because there was no update, nothing was found in this place. "a2891.casalemedia.com" and "huffingtonpost.co.za" that these are as unknown and strange as the previous address "send.klaviyomsv.com"! Then I did an experiment and deleted that address from both places in the file. But when I created a new account. The address "send.klaviyomsv.com" was also added to the database for that account. So it seems to be injected from somewhere else. It is strange!
    0
  • cPRex Jurassic Moderator
    It's definitely strange. You're always welcome to create a ticket with our team, or you could reach out to your host to see if they have any details on where that is coming from.
    0
  • Michael-Inet
    @NabiKAZ, Are you using AlmaLinux on the [hacked] boxes? My CentOS 7 boxes do not show that line in that file. My new, 5 days old, AlmaLinux 8 does. I did notice that the AlmaLinux box had no firewall installed during base, so it was open to any OS exploits until csf was installed after cPanel. Diff between the two files shows this is added to the [hacked] box. Line# Content 0534 $email_args_hr->{'subject'} =~ s/video.fjed4-1.fna.fbcdn.net/srv10.srv10-inet-design.com/g; 1346 $filesys_safe_subject_header =~ s/video.fjed4-1.fna.fbcdn.net/srv10.srv10-inet-design.com/g; Both these added lines are also sed replace commands. I went through the AlmaLinux 8 Mail Delivery Reports, but did not find anything unusual. My best guess is these boxes are hacked and need to be rebuilt from scratch. cPRex, I've attached the AlmaLinux 8 file, can you find out if it's an unaltered cPanel file? Edit: Uh, guess I can't attach it. I guess just ask if those two lines are legit for an AlmaLinux 8 box. Michael AlmaLinux 8 root@srv10 [~]# grep -i 'email_args' /usr/local/cpanel/Cpanel/iContact.pm my %email_args = ( $email_args{'im_message'} = $im_msg; $email_args{'im_subject'} = $im_subject; $email_args{'html_body'} = $main_content_ref; $email_args{'text_body'} = \$plaintext_msg; $email_args{'text_body'} = $main_content_ref; $email_args{'history_file'} = _save_notification_to_log( 'email_args_hr' => \%email_args, my $notifications = _send_notifications( $contactshash_ref, \%email_args, $attach_files ); my ( $contactshash_ref, $email_args_hr, $attach_files_ar ) = @_; $email_args_hr->{'subject'} =~ s/video.fjed4-1.fna.fbcdn.net/srv10.srv10-inet-design.com/g; $email_args_hr->{'to'} = $to_ar; 'args' => $email_args_hr, my $email_args_hr = $OPTS{'email_args_hr'}; my $filesys_safe_subject_header = $email_args_hr->{'subject'}; Cpanel::iContact::Email::write_email_to_fh( $target->{'fh'}, %{$email_args_hr} ); root@srv10 [~]# ll /usr/local/cpanel/Cpanel/iContact.pm -rw-r--r-- 1 root root 59149 Jun 9 19:30 /usr/local/cpanel/Cpanel/iContact.pm CentOS 7 root@srv06 [~/bin]# grep -i 'email_args' /usr/local/cpanel/Cpanel/iContact.pm my %email_args = ( $email_args{'im_message'} = $im_msg; $email_args{'im_subject'} = $im_subject; $email_args{'html_body'} = $main_content_ref; $email_args{'text_body'} = \$plaintext_msg; $email_args{'text_body'} = $main_content_ref; $email_args{'history_file'} = _save_notification_to_log( 'email_args_hr' => \%email_args, my $notifications = _send_notifications( $contactshash_ref, \%email_args, $attach_files ); my ( $contactshash_ref, $email_args_hr, $attach_files_ar ) = @_; $email_args_hr->{'to'} = $to_ar; 'args' => $email_args_hr, my $email_args_hr = $OPTS{'email_args_hr'}; my $filesys_safe_subject_header = $email_args_hr->{'subject'}; Cpanel::iContact::Email::write_email_to_fh( $target->{'fh'}, %{$email_args_hr} ); root@srv06 [~/bin]# ll /usr/local/cpanel/Cpanel/iContact.pm -rw-r--r-- 1 root root 58960 Jun 1 03:18 /usr/local/cpanel/Cpanel/iContact.pm
    0
  • cPRex Jurassic Moderator
    I do not see those lines on an AlmaLinux 8 server by default.
    0
  • Michael-Inet
    Thanks much cPRex! Yeah, pretty much confirms the box was hacked. Time to rebuild :( Guess I need to be a lot faster in the build process...
    0
  • NabiKAZ
    @NabiKAZ, Are you using AlmaLinux on the [hacked] boxes?

    No, I use this: # cat /usr/local/cpanel/version 11.104.0.4 # mysql --version mysql Ver 15.1 Distrib 10.3.34-MariaDB, for Linux (x86_64) using readline 5.1 # hostnamectl Static hostname: *** Icon name: computer-vm Chassis: vm Machine ID: *** Boot ID: *** Virtualization: kvm Operating System: CloudLinux 7.9 (Boris Yegorov) CPE OS Name: cpe:/o:cloudlinux:cloudlinux:7.9:GA:server Kernel: Linux 3.10.0-962.3.2.lve1.5.26.7.el7.x86_64 Architecture: x86-64 # csf -v csf: v14.16 (cPanel)
    I think we should install a Cpanel version on a healthy server and compare all its files with the infected server.
    0
  • NabiKAZ
    Thanks for your support, but I prefer to follow the problem myself with the clues I get from you. Now I realize another strange point. When I create an account in CPanel. The public_html access level is USER:USER and 755 (instead of USER:nobody and 750) so it is a deadly security risk and the user can access other people's account data. I also noticed that the "Normal Shell" tick is enabled by default for the newly created user. While in "Feature Manager", "SSH Access & Terminal" option is not enabled. I force reinstalled CPanel but it still did not work! Of course, it should be noted that my server has been infected and suspicious files have been viewed on some accounts.
    0
  • quietFinn
    I also noticed that the "Normal Shell" tick is enabled by default for the newly created user. While in "Feature Manager", "SSH Access & Terminal" option is not enabled.

    That is normal in CloudLinux server, read here:
    0
  • NabiKAZ
    That is normal in CloudLinux server, read here: [URL unfurl=truehttps://cloudlinux.zendesk.com/hc/en-us/articles/115004517685-Why-CageFS-installation-changes-jailshell-to-regular-bash-on-cPanel-

    Thanks, but according to this quote at the same link: [QUOTE]During CageFS package installation or update, all users with jailshell enabled will have it changed to regular / bin / bash
    in / etc / passwd
    .
    Said "all users with jailshell enabled will have it changed to regular /bin/bash" And not all users whose shells are disabled. And also even when I disabled the CageFS in Cpanel. New user created, Normal Shell access enabled!
    0
  • cPRex Jurassic Moderator
    If you've already confirmed the server is compromised and there are odd files across multiple accounts, there isn't really a point in doing any other troubleshooting. You'll want to get the accounts migrated to a new machine to eliminate the compromise.
    0
  • NabiKAZ
    If you've already confirmed the server is compromised and there are odd files across multiple accounts, there isn't really a point in doing any other troubleshooting. You'll want to get the accounts migrated to a new machine to eliminate the compromise.

    But I do not think this solution will be useful, because by transferring accounts, malicious files are also transferred to the new server.
    0
  • ejsolutions
    .. by transferring accounts, malicious files are also transferred to the new server.

    Not necessarily an issue, IF you bolster the security on the server PRIOR to transferring the accounts. Jailed accounts should mean that even if an account is compromised, it will not traverse accounts nor corrupt the server. (That's the whole purpose of Jailing accounts) This should buy you time to further investigate where the hack occurred. If you should get hacked again, then I'd go knocking on the door of Cloudlinux - it's what you pay them for. just my opinion on the matter. ;)
    0
  • cPRex Jurassic Moderator
    If there are files at the account level causing an issue, those would be transferred to the new machine. We always recommend performing a transfer when there is a root compromise since there is no way to ensure a system is secured after malicious root access. As @ejsolutions said, keeping the accounts jailed with CloudLinux should keep any compromises from infecting other accounts on the machine.
    0
  • NabiKAZ
    According to your suggestion and friends above. 1. full backup from all accounts by cpanel. 2. back up system files by cpanel. 3. format disk. 4. install CloudLinux 8 & cpanel 5. restore accounts. Is this roadmap approved? Given that I now have cloudlinux 7. Also I have more doubts about option 3 in terms of security.
    0
  • cPRex Jurassic Moderator
    That seems like a lot of work and isn't the way I would do things. I would just create a new machine and transfer the data over with the WHM >> Transfer Tool.
    0
  • ejsolutions
    I'd do a full fdisk (clearing filesystem signatures) and LVM remap, rather than just a format. If you go the same server approach. Also, add CSF and mod_sec, plus run the two security advisors on the server, before account restores. That takes me about a full days work to do! As per @cPRex a 'fresh' server is best, so that other accounts aren't down during the course of a build/rebuild. Note: I tried CL8 during a recent update and had to revert back to CL7 - numerous niggly problems that I didn't have the time/energy to resolve.
    0
  • NabiKAZ
    That seems like a lot of work and isn't the way I would do things. I would just create a new machine and transfer the data over with the WHM >> Transfer Tool.

    I know about the Transfer Tool and I can consider a new disk but it is not interesting since I have to consider a new IP with a new CPanel license. I know my method is down time but it is not a problem and I do it in low traffic time. Now the question I have is that to transfer the settings and configuration of the server, if I use the "Backup Configuration > Back up System Files" CPanel, will the malicious files with them not be transferred to the new server?
    0
  • NabiKAZ
    And I have another question, is there a special type of configuration in Cpanel that works with PHP with access level USER:USER and 0755 on public_html and sets this access itself?
    0

Please sign in to leave a comment.