Malicious perl script on account
Hello, config server firewall reported that there is long time runing process under one of the cPanels: pastebin.com/05DVU7A6
So i wanted to ask how to discover which script it is that is running?
px ax|grep cpanelusername
does not return anything.
can not find any file with .pl extension or with name "proc" inside that cpanel
apache status also no luck
when doing ls /tmp /var/tmp|grep cpanelusername, i found that some binary or encoded file was injected into /var/tmp (flename: YoqFyWjYT*)
# crontab -l -u cpanelusername
SHELL="/usr/local/cpanel/bin/jailshell"
*/10 * * * * /var/tmp/YoqFyWjYT >/dev/null 2>&1
seems like someone been able to edit crontab for this userwhile this user password was unbreakable random one 13 characters + mixed incl. symbols, how is that possible?
I found running process with name "proc" with pid 11130, so i did:
That process gets killed by firewall, but always new process appears:
What are your ideas, what you would do to stop that and prevent that? WHM latest, EA3, SuPHP. Thank You I assume this would not happen if something like this would be in effect
# lsof -p 11130
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
httpd.pl 11130 cpanelusername cwd DIR 0,164 4096 40372564 /
httpd.pl 11130 cpanelusername rtd DIR 0,164 4096 40372564 /
httpd.pl 11130 cpanelusername txt REG 0,164 7184 40379766 /usr/bin/perl
httpd.pl 11130 cpanelusername mem REG 253,0 40379766 /usr/bin/perl (path dev=0,164)
httpd.pl 11130 cpanelusername mem REG 253,0 4326574 /usr/lib64/perl5/auto/File/Glob/Glob.so (path dev=0,164)
httpd.pl 11130 cpanelusername mem REG 253,0 4326602 /usr/lib64/perl5/auto/POSIX/POSIX.so (path dev=0,164)
httpd.pl 11130 cpanelusername mem REG 253,0 4326573 /usr/lib64/perl5/auto/Fcntl/Fcntl.so (path dev=0,164)
httpd.pl 11130 cpanelusername mem REG 253,0 4326837 /usr/lib64/perl5/auto/Socket/Socket.so (path dev=0,164)
httpd.pl 11130 cpanelusername mem REG 253,0 4326587 /usr/lib64/perl5/auto/IO/IO.so (path dev=0,164)
httpd.pl 11130 cpanelusername mem REG 253,0 40379714 /lib64/libfreebl3.so (path dev=0,164)
httpd.pl 11130 cpanelusername mem REG 253,0 40371002 /lib64/libc-2.12.so (path dev=0,164)
httpd.pl 11130 cpanelusername mem REG 253,0 40371541 /lib64/libpthread-2.12.so (path dev=0,164)
httpd.pl 11130 cpanelusername mem REG 253,0 40371683 /lib64/libutil-2.12.so (path dev=0,164)
httpd.pl 11130 cpanelusername mem REG 253,0 40371103 /lib64/libcrypt-2.12.so (path dev=0,164)
httpd.pl 11130 cpanelusername mem REG 253,0 40381006 /lib64/libm-2.12.so (path dev=0,164)
httpd.pl 11130 cpanelusername mem REG 253,0 40379827 /lib64/libdl-2.12.so (path dev=0,164)
httpd.pl 11130 cpanelusername mem REG 253,0 40381712 /lib64/libnsl-2.12.so (path dev=0,164)
httpd.pl 11130 cpanelusername mem REG 253,0 40383282 /lib64/libresolv-2.12.so (path dev=0,164)
httpd.pl 11130 cpanelusername mem REG 253,0 57282593 /usr/lib64/perl5/CORE/libperl.so (path dev=0,164)
httpd.pl 11130 cpanelusername mem REG 253,0 40370939 /lib64/ld-2.12.so (path dev=0,164)
httpd.pl 11130 cpanelusername 0r CHR 1,3 0t0 1824410485 /dev/null
httpd.pl 11130 cpanelusername 1w CHR 1,3 0t0 1824410485 /dev/null
httpd.pl 11130 cpanelusername 2w CHR 1,3 0t0 1824410485 /dev/null
httpd.pl 11130 cpanelusername 3u IPv4 2434759493 0t0 TCP *:27450 (LISTEN)
username@srvname [/home/cpanelusername/www/domain.tld]# find ../ -name httpd.pl
username@srvname [/home/cpanelusername/www/domain.tld]# netstat -tlnp|grep 27
tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN 14667/perl
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 7300/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 7300/named
tcp 0 0 0.0.0.0:27450 0.0.0.0:* LISTEN 15519/procThat process gets killed by firewall, but always new process appears:
# ps auxf|grep proc
root 1890 0.0 0.0 45728 9424 ? S Nov17 0:38 queueprocd - wait to process a task
root 1997 0.0 0.0 79640 18452 ? S Nov17 1:00 cPhulkd - processor
root 12013 0.0 0.0 6444 696 pts/0 S+ 20:38 0:00 \_ grep proc
cpanelusername 11141 0.2 0.0 40540 6180 ? Ss 20:37 0:00 proc
What are your ideas, what you would do to stop that and prevent that? WHM latest, EA3, SuPHP. Thank You I assume this would not happen if something like this would be in effect
-
I can see you have root access of your server so I will suggest you please scan your account with the maldet and clamAV scanner. For maldet maldet -a /home/cPUSER/public_html/
And for clamAVclamscan -ir /home/cPUSER/public_html/ -v0 -
That did not helped to prevent that process from repeatedly launching. :( But it helped to find around 17 malicious php files, mainly in SimpleMachinesForum /cache/ folder. 0 -
Hello, It's difficult to determine what's happening without access to the affected system to take a closer look. Feel free to open a support ticket using the link in my signature so we can take a closer look and determine if there's any obvious issues. More in-depth security scanning would require the assistance of a qualified system administrator: System Administration Services | cPanel Forums Thank you. 0
Please sign in to leave a comment.
Comments
3 comments