Processes shows random commands by root

This is a fresh cPanel installation, which is about 4 days old. Data has been migrated over from an old cpanel server using the Transfer Tool. I am now randomly seeing various processes, which indicate as if root is running a command. Eg: uptime grep "A" ifconfig echo "find" su sleep 1 route -n netstat -an cat resolv.conf ls -la ifconfig eth0 top who w Each process comes up one by one. When I kill the command, another of those commands comes up. These commands claim to be using upto 40% of CPU on an average. STRACE doesn't show me anything I can understand. The paths shown in strace are non existent. Example of Strace output:


Process 825169 attached
[ Process PID=825169 runs in 32 bit mode. ]
restart_syscall(<... resuming interrupted call ...>) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
stat64("/usr", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat64("/usr/bin", {st_mode=S_IFDIR|0555, st_size=36864, ...}) = 0
stat64("/bin", {st_mode=S_IFDIR|0555, st_size=4096, ...}) = 0
stat64("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=4096, ...}) = 0
gettimeofday({1493715986, 897656}, NULL) = 0
open("/lib/libudev.so", O_RDONLY)       = 6
lseek(6, 0, SEEK_SET)                   = 0
open("/usr/bin/vltwnkqzjp", O_WRONLY|O_CREAT, 0777) = 7
lseek(7, 0, SEEK_SET)                   = 0
read(6, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\2\0\3\0\1\0\0\0\20\201\4\0104\0\0\0"..., 4096) = 4096
write(7, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\2\0\3\0\1\0\0\0\20\201\4\0104\0\0\0"..., 4096) = 4096
read(6, "\0\0\307E\350\0\0\0\0\307E\354\0\0\0\0\307E\360\0\0\0\0\307E\364\0\0\0\0\350="..., 4096) = 4096
write(7, "\0\0\307E\350\0\0\0\0\307E\354\0\0\0\0\307E\360\0\0\0\0\307E\364\0\0\0\0\350="..., 4096) = 4096
read(6, "\365\371\377\377\213E\10\311\303U\211\345W\201\3544\1\0\0\215\225\364\376\377\377\270\0\1\0\0\211D"..., 4096) = 4096
write(7, "\365\371\377\377\213E\10\311\303U\211\345W\201\3544\1\0\0\215\225\364\376\377\377\270\0\1\0\0\211D"..., 4096) = 4096
read(6, "\4\211\f$\350\367\270\1\0\213E\360\1E\364\353\213\213U\364\213E\f\211\20\213E\354\211\4$\350"..., 4096) = 4096
write(7, "\4\211\f$\350\367\270\1\0\213E\360\1E\364\353\213\213U\364\213E\f\211\20\213E\354\211\4$\350"..., 4096) = 4096
read(6, ">\364\203\303\20\213E\364\213p\f\213\205\340\357\377\377\211\4$\350W\373\1\0\211\302\213E\364\213@"..., 4096) = 4096
write(7, ">\364\203\303\20\213E\364\213p\f\213\205\340\357\377\377\211\4$\350W\373\1\0\211\302\213E\364\213@"..., 4096) = 4096
read(6, "\0\215\205\310\367\377\377\211\4$\350\325\262\377\377\307D$\10\v\0\0\0\307D$\4Q0\v\10\215"..., 4096) = 4096
write(7, "\0\215\205\310\367\377\377\211\4$\350\325\262\377\377\307D$\10\v\0\0\0\307D$\4Q0\v\10\215"..., 4096) = 4096
read(6, "\276\353\377\377\211D$\4\215\205\263\345\377\377\211\4$\350\7\261\377\377\205\300\17\204\326\0\0\0\203}"..., 4096) = 4096
write(7, "\276\353\377\377\211D$\4\215\205\263\345\377\377\211\4$\350\7\261\377\377\205\300\17\204\326\0\0\0\203}"..., 4096) = 4096
read(6, "\205\330\375\377\377\301\350\5\211E\344\307E\364\0\0\0\0\307E\350\0\0\0\0\351\221\0\0\0\213E"..., 4096) = 4096
write(7, "\205\330\375\377\377\301\350\5\211E\344\307E\364\0\0\0\0\307E\350\0\0\0\0\351\221\0\0\0\213E"..., 4096) = 4096
read(6, "c\0\0\350\230b\0\0\211\301\17\267U\344\17\267E\350\211\323)\303\211\330\211\312\211\303\211\320\301\372"..., 4096) = 4096
write(7, "c\0\0\350\230b\0\0\211\301\17\267U\344\17\267E\350\211\323)\303\211\330\211\312\211\303\211\320\301\372"..., 4096) = 4096
read(6, "\20\270\1\0\0\0\1E\354\213?\201\377\254 \r\10t\22\215G\3009E\360t\356\366@d@u"..., 4096) = 4096
write(7, "\20\270\1\0\0\0\1E\354\213?\201\377\254 \r\10t\22\215G\3009E\360t\356\366@d@u"..., 4096) = 4096
read(6, "\371\377\377\351z\373\377\377\360\377\r\360\364\f\0101\300\207\206\364\1\0\0\203\370\376\17\204d\2\0\0"..., 4096) = 4096
write(7, "\371\377\377\351z\373\377\377\360\377\r\360\364\f\0101\300\207\206\364\1\0\0\203\370\376\17\204d\2\0\0"..., 4096) = 4096
read(6, "[]\303\220\220\220\220\220\220\220\220\220\220\220\220\220U\211\345S\213]\10\203\373\37w!e\241\10\0"..., 4096) = 4096
write(7, "[]\303\220\220\220\220\220\220\220\220\220\220\220\220\220U\211\345S\213]\10\203\373\37w!e\241\10\0"..., 4096) = 4096
read(6, "\205\300\17\204\303\0\0\0\211\303\241\4\365\f\10\203\350\1\211\3e\211\35`\2\0\0\213\3\203}\f"..., 4096) = 4096
write(7, "\205\300\17\204\303\0\0\0\211\303\241\4\365\f\10\203\350\1\211\3e\211\35`\2\0\0\213\3\203}\f"..., 4096) = 4096

What could be the issue?

ruzbehraja

May 02, 2017 11:04

The server is affected by XoR.DDoS rootkit. This is a DDoS bot, and you can visit the following for more information: Linux DDoS Trojan hiding itself with an embedded rootkit Blaze's Security Blog: Notes on Linux/Xor.DDoS Format and Reinstallation is the only solution.

cPanelMichael

May 02, 2017 18:46

Hello, Thank you for updating this thread with the outcome.

Processes shows random commands by root

Comments

Didn't find what you were looking for?