Skip to main content

Suspicious process running under cpanel user

Comments

10 comments

  • Escobar
    More information on the process httpd.pl
    OKroot@761967 [/]# lsof -p 316195 | grep cwd httpd.pl 316195 indianspice cwd DIR 252,3 4096 674533 / root@761967 [/]# readlink -e /proc/316195/cwd/ /
    0
  • 24x7server
    Hello, Have you scanned your whole account with maldet and clamscan ? Also try to scan your site through
    0
  • Escobar
    Yes, I've performed those scans but nothing on maldet. ClamAV throws false positives. Ran a chkrootkit scan too and all seems fine. I'm not sure where to proceed from here.
    0
  • quizknows
    Either hire a professional to analyse / clean the site, or rebuild it from scratch. Not much else to do unfortunately.
    0
  • Escobar
    I already re-installed the Wordpress installs. I don't see how "rebuilding" a site will clean a server if the server is infected, which is what I am assuming.
    0
  • Escobar
    Found the problem. It looks like one of the websites got hacked and they uploaded a backdoor. It was a cron job that calls a tmp file.
    root@761967 [/]# crontab -u indianspice -l SHELL="/usr/local/cpanel/bin/jailshell" */15 * * * * /var/tmp/ZVuRYtRXB >/dev/null 2>&1
    0
  • Escobar
    Hmm, disregard. I deleted the cronjob but the process still reappears.
    0
  • Escobar
    Actually I was right before, I found the tmp file under the .cagefs directory though.
    0
  • quizknows
    It is often you can find crons left behind even after re-installing a site. I did miss the part of your original post where you stated that you had re-installed. Glad you were able to find the malicious cron; obviously if you did not already, you should change the cPanel password as well.
    0
  • cPanelMichael
    Actually I was right before, I found the tmp file under the .cagefs directory though.

    Hello :) I'm happy to see you were able to determine the source of the issue. Thank you for updating us with the outcome.
    0

Please sign in to leave a comment.