Suspicious domains in the Host Database

NabiKAZ

• February 22, 2022 17:32

I recently saw these suspicious items in the "mysql" database name and the "user and "db" tables in the "Host" column: send.klaviyomsv.com huffingtonpost.co.za Are these domains and some other IPs normal here?

• 

  ejsolutions

  • June 25, 2022 09:59

  Backup Configuration > Back up System Files

  
  Personally, I wouldn't do this (for your reasons) and instead perhaps screenshot the important settings, or otherwise take a note. Also, you may inherit deprecated settings - best to use 'vanilla' settings then add flavouring. ;)

  USER:USER and 0755 on public_html

  
  This is standard fare on my WHM/cpanel setups and indeed on other servers, with different control panels. Refer to mod_suexec, suPHP (preferably PHP-FPM).

  0
• 

  NabiKAZ

  • June 26, 2022 02:36

  I scanned all the servers except the /home path that contained the accounts with clamscan and the result was as follows: Do you think there is something more suspicious than the others that I need to put under a magnifying glass? /usr/local/src/maldetect-current.tar.gz: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND /usr/local/src/maldetect-1.6.4/files/clean/gzbase64.inject.unclassed: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND /usr/local/src/maldetect-1.6.4/files/sigs/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/src/maldetect-1.6.4/files/sigs/hex.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/src/maldetect-1.6.4/files/sigs/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/src/maldetect-1.6.4/files/sigs/rfxn.yara: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND /usr/local/src/maldetect-1.6.4/files/sigs/md5v2.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/src/maldetect-1.6.4/files/sigs/md5.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/cpanel/3rdparty/share/clamav/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/cpanel/3rdparty/share/clamav/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND /usr/local/cpanel/Whostmgr/Pkgacct/3rdparty/mbx2mbox/mailutil: Unix.Tool.Flood-9941210-0 FOUND /usr/local/maldetect/clean/gzbase64.inject.unclassed: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND /usr/local/maldetect/sigs/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect/sigs/hex.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect/sigs/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect/sigs/rfxn.yara: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND /usr/local/maldetect/sigs/md5v2.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect/sigs/md5.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect/sigs.old/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect/sigs.old/hex.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect/sigs.old/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect/sigs.old/rfxn.yara: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND /usr/local/maldetect/sigs.old/md5v2.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/local/maldetect/sigs.old/md5.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/share/cagefs-skeleton/usr/local/cpanel/3rdparty/share/clamav/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/share/cagefs-skeleton/usr/local/cpanel/3rdparty/share/clamav/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /usr/share/cagefs-skeleton/usr/local/cpanel/3rdparty/share/clamav/rfxn.yara: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND /usr/share/cagefs-skeleton/usr/local/cpanel/Whostmgr/Pkgacct/3rdparty/mbx2mbox/mailutil: Unix.Tool.Flood-9941210-0 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 8635509 Engine version: 0.104.3 Scanned directories: 96587 Scanned files: 488074 Infected files: 102 Total errors: 16157 Data scanned: 25927.35 MB Data read: 80705.52 MB (ratio 0.32:1) Time: 34490.078 sec (574 m 50 s) Start Date: 2022:06:24 22:27:27 End Date: 2022:06:25 08:02:17
  

  0
• 

  ejsolutions

  • June 26, 2022 10:21

  ^ A quick glance and they look like false positives. Good on you for using maldetect though. Personally, I wouldn't "risk it for biscuit" and wouldn't waste time: go straight for a freshly installed server, prepared as mentioned, then restore user accounts. You could've had it completed by now! :-p

  0
• 

  Michael-Inet

  • June 28, 2022 03:38

  Do you think there is something more suspicious than the others that I need to put under a magnifying glass?

  
  NabiKAZ, Since we had similar issues, I'm guessing you installed a "shared cPanel" license. The website I purchased one from implied they were a cPanel partner and authorized to sell 'legal' shared licenses. After this thread I did some digging and found out that, that is most likely not the case and "shared cPanel" licenses are a hack and apparently just stealing from cPanel though some proxy mechanism. They also are suppose to give complete root access to your box to the shared license seller. (Which would make sense as you run an install script from then as root to setup the proxy 'stuff.') As I had no client data on the box (testing server), my method was to re-install from scratch and manually re-create the account(s). If there had been client data, I would have offsite backed up just the client data. Rebuilt the server, manually re-created the accounts/domains, and then moved the client data back to where is should be. HTH, Michael

  tag

  
  @cPRex, PM me if you want the website I purchased from.

  0
• 

  NabiKAZ

  • June 29, 2022 22:03

  I came across another security point. I installed only nginx on another clean centos7 server (without Cloudlinux) with cpanel: Home / Software / NGINX" Manager / Install NginX I noticed that the access level of all accounts to USER:USER 0755 changed and there was access to another account from each account. If you uninstall nginx and click install again, the same thing will happen again. It does not seem normal to make such unsafe and dangerous settings by default. And it can be a dangerous bug. Maybe I got hit from here!

  0

Please sign in to leave a comment.