Multiple Messages with "kthread" Errors & Multiple "Port Hits"
2 issues:
I have been getting the following messages from my server almost every 60 seconds or so and have no idea what to do???
------------------------- I am also getting messages like these every minute with the subject line "lfd on master.domain.com: UID 588 ({EDIT USERNAME}) Tracking Hit"
Time: Sun Nov 2 22:38:44 2014 -0600
PID: 5067 (Parent PID:5067)
Account: {EDIT}
Uptime: 41214 seconds
Executable:
/home/{EDIT}/.lesshts/kthread
Command Line (often faked in exploits):
kthread------------------------- I am also getting messages like these every minute with the subject line "lfd on master.domain.com: UID 588 ({EDIT USERNAME}) Tracking Hit"
Time: Sun Nov 2 22:44:37 2014 -0600
UID: 588 ({EDIT USERNAME})
Hits: 11
Sample of port hits:
Nov 2 22:43:42 master kernel: [41682.676474] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=MYSERVERIP.ADDRESS DST=93.174.93.80 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=16258 DF PROTO=TCP SPT=46544 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 UID=588 GID=599
Nov 2 22:43:48 master kernel: [41688.680950] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=MYSERVERIP.ADDRESS DST=93.174.93.80 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=171 DF PROTO=TCP SPT=46551 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 UID=588 GID=599
Nov 2 22:43:52 master kernel: [41692.680454] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=MYSERVERIP.ADDRESS DST=93.174.93.80 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=172 DF PROTO=TCP SPT=46551 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 UID=588 GID=599
Nov 2 22:43:58 master kernel: [41698.683236] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=MYSERVERIP.ADDRESS DST=89.248.168.139 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30636 DF PROTO=TCP SPT=52120 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 UID=588 GID=599
Nov 2 22:44:02 master kernel: [41702.683232] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=MYSERVERIP.ADDRESS DST=89.248.168.139 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30637 DF PROTO=TCP SPT=52120 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 UID=588 GID=599
Nov 2 22:44:08 master kernel: [41708.687478] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=MYSERVERIP.ADDRESS DST=93.174.93.80 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9411 DF PROTO=TCP SPT=46568 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 UID=588 GID=599
Nov 2 22:44:12 master kernel: [41712.687470] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=MYSERVERIP.ADDRESS DST=93.174.93.80 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9412 DF PROTO=TCP SPT=46568 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 UID=588 GID=599
Nov 2 22:44:18 master kernel: [41718.690467] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=MYSERVERIP.ADDRESS DST=93.174.93.80 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=56070 DF PROTO=TCP SPT=46575 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 UID=588 GID=599
Nov 2 22:44:22 master kernel: [41722.690475] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=MYSERVERIP.ADDRESS DST=93.174.93.80 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=56071 DF PROTO=TCP SPT=46575 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 UID=588 GID=599
Nov 2 22:44:28 master kernel: [41728.710515] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=MYSERVERIP.ADDRESS DST=93.174.93.80 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60572 DF PROTO=TCP SPT=46583 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 UID=588 GID=599
Nov 2 22:44:32 master kernel: [41732.710480] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=MYSERVERIP.ADDRESS DST=93.174.93.80 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60573 DF PROTO=TCP SPT=46583 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 UID=588 GID=599-
Hello, I can see your user file /home/USER/.lesshts/kthread is taking long time to execute and that is the reason you are getting these mail alert from LFD, I will suggest scan your account through LMD and delete the infected files. Also check your kthread file. 0 -
Hello :) I have moved this thread to our "Security" forum for further discussion. Note that you may also want to post your question to the CSF support forums as sometimes you will receive more user feedback for their software at their forums. Thank you. 0 -
Hello All, Do you have an update on this, I am getting the same problem with more than 20 servers, it seems to be that all of them are compromised, the five top process are showing Kthread as follow: 10566 user 25 0 172 100 0 R 29.0 0.0 135:44.61 kthread 10514 user 25 0 2268 2196 0 R 26.1 0.1 249:36.44 kthread 10575 user 25 0 2268 2196 0 R 25.4 0.1 269:34.81 kthread 10564 user 25 0 2268 2200 0 R 19.9 0.1 255:25.32 kthread 10530 user 25 0 172 100 0 R 17.9 0.0 141:48.42 kthread I dig a little bit with a lsof and found this for example: COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME kthread 10566 user cwd DIR 0,22 4096 12173448 /home/user kthread 10566 user rtd DIR 8,1 4096 2 / kthread 10566 user txt REG 0,22 35636 36389745 /home/user/.lesshts/kthread kthread 10566 user 0r FIFO 0,6 0t0 18194 pipe Do you have an idea what could be the problem, I am suspending those 5 users as a temporal remediation. 0 -
Hey oswgarcia, Just out of my curiosity, are your servers patched against the shellshock bug ? And also, can you find out if your server IP is making excessive connections to a specific IP's port 443 ? 0 -
Something is most likely compromised, probably user passwords. Most shellshock stuff I've seen dumps into /tmp or /dev/shm, not a users homedir. Check last (lastlog) or /var/log/secure for any ssh logins to those accounts 0 -
]Hey oswgarcia, Just out of my curiosity, are your servers patched against the shellshock bug ? And also, can you find out if your server IP is making excessive connections to a specific IP's port 443 ?
Thanks for your answers, we have discovered that the issue was related to the shellshock bug, we patched our servers when the bug came out but for any reason some accounts were not updated. We have patched again all our servers and it seems to be the issue is now resolved. I have not seen more kernel threads running on home user directories. Thanks,0 -
russelld, Do you have any update on this ? Can you please let us know if you spotted something ? 0
Please sign in to leave a comment.
Comments
7 comments