suspect root process running

joaosavioli

• December 23, 2016 08:58

Hello, Yesterday morning I could see a suspect process running in my server. Here is the process: root 31276 0.0 0.0 124396 2496 ? SN 06:33 0:00 /usr/local/cpanel/3rdparty/perl/522/bin/perl -C0 -e use Fcntl;?$SIG{HUP}=sub{exit};?if ( my $fn=shift ) {? sysopen(my $fh, qq{$fn}, O_WRONLY|O_CREAT|O_EXCL) or die $!;? print {$fh} $$;? close $fh;?}?my $buf; while (sysread(STDIN, $buf, 2048)) {? syswrite(STDOUT, $buf); syswrite(STDERR, $buf);?}? /tmp/EXdKDCgC_f Is this process ran successed? Is there any way to know if my root is compromissed? Thank you for help! Joao

• 

  cPanelMichael

  • December 23, 2016 17:29

  Hello, It looks like you've opened a support ticket for this issue, #8077941. Please update us with the outcome of the ticket once it's closed. Thank you.

  0
• 

  joaosavioli

  • December 23, 2016 19:55

  Hello, Yes, I"ll update. I"ve ran the chkrootkit and found this: You have 2 process hidden for ps command chkproc: Warning: Possible LKM Trojan installed Checking `sniffer'... eth0: PF_PACKET(/usr/sbin/lldpad) eth0:cp1: PF_PACKET(/usr/sbin/lldpad) Is it a problem? Best regards Joao

  0
• 

  joaosavioli

  • December 27, 2016 11:30

  Hello, Today morning I received this update. The case is closed. "Hello, This appears to be part of the functionality of cPanel's Legacy Backups process. I found the following in a system trace of /scripts/cpbackup : -- #--------------------------------------------------------------------------#\n# constants and fixtures\n#--------------------------------------------------------------------------#\n\nmy $IS_WIN32 = $^O eq 'MSWin32';\n\n##our $DEBUG = $ENV{PERL_CAPTURE_TINY_DEBUG};\n##\n##my $DEBUGFH;\n##open $DEBUGFH, \"> DEBUG\" if $DEBUG;\n##\n##*_debug = $DEBUG ? sub(@) { print {$DEBUGFH} @_ } : sub(){0};\n\nour $TIMEOUT = 30;\n\n#--------------------------------------------------------------------------#\n# command to tee output -- the argument is a filename that must\n# be opened to signal that the process is ready to receive input.\n# This is annoying, but seems to be the best that can be done\n# as a simple, portable IPC technique\n#--------------------------------------------------------------------------#\nmy @cmd = ($^X, '-C0', '-e', <<'HERE');\nuse Fcntl;\n$SIG{HUP}=sub{exit};\nif ( my $fn=shift ) {\n sysopen(my $fh, qq{$fn}, O_WRONLY|O_CREAT|O_EXCL) or die $!;\n print {$fh} $$;\n close $fh;\n}\nmy $buf; while (sysread(STDIN, $buf, 2048)) {\n syswrite(STDOUT, $buf); syswrite(STDERR, $buf);\n}\nHERE\n\n -- The above snippet of the system trace includes what you saw in the process listing. "
  Thank you Joao

  0
• 

  Infopro

  • December 27, 2016 11:58

  Thanks for updating the thread with the outcome.

  0

Please sign in to leave a comment.