suspicious process: find history

magj

• December 25, 2017 15:44

Hi I have many suspicious processes (like 5 or 4 simultaneously) with extreme i/o in my server, they start immediately upon killing, the processes are like these: find // -name .*history ( -links 2 -o -type l ) Any help would be greatly appreciated. Best

• 

  rpvw

  • December 25, 2017 22:06

  I have no idea if there is any cPanel process that would invoke the find command - let alone look for a .*history string which presumably will return files like .bash_history. My paranoid half (neither of me admit to schizophrenia) would worry that a process was looking to gather information from the bash (or some other) history, or worse, to delete traces of nefarious shell operations. I would start by looking at the user that was running the command. If you have enabled any sort of shell access for your users, they may just be looking for something they did earlier. If however, this is invoked by root, I would be a lot more concerned. I would also review if your PHP has any of the exec functions enabled. They can be used by uploaded scripts (eg web shells) to gather data and execute commands. I can only refer you to the following docs : Personally, I would be making every effort to find out what/who is making the calls (it may be something as innocent as a data-centre admin running some checks - but they probably should have informed you first !) and if it looks to be something malicious, take all steps to secure the server - which might be already too late and may necessitate migrating to a new clean server. See

  0
• 

  24x7server

  • December 26, 2017 03:39

  I have many suspicious processes (like 5 or 4 simultaneously) with extreme i/o in my server, they start immediately upon killing, the processes are like these: find // -name .*history ( -links 2 -o -type l )

  
  Can you give us a screenshot of the process that you are seeing. Are those binaries that are creating. I am asking this because there may be possibility of server being compromised at the core level..

  0
• 

  cPanelMichael

  • December 26, 2017 13:50

  Hello @magj, Let us know if the previous posts help. Thank you.

  0
• 

  magj

  • January 04, 2018 16:06

  Thank you all and sorry for my late reply. I cannot completely rule out infection of the server but I have always treated as strict as possible in this server regarding security issues . I have cloudlinux I'm suspected in this process:
  root 158925 158923 0 09:01 ? 00:00:00 /bin/sh /usr/src/chkrootkit-0.49/chkrootkit root 158927 158923 0 09:01 ? 00:00:00 /bin/mail -E -s CHROOTKIT Hourly Run root 160217 158925 0 09:01 ? 00:00:55 /bin/find // -name .*history -size 0 root 209811 314097 0 09:22 ? 00:00:53 /bin/find // -name .*history ( -links 2 -o -type l ) root 209814 622369 0 09:22 ? 00:00:53 /bin/find // -name .*history ( -links 2 -o -type l ) root 209815 457564 0 09:22 ? 00:00:53 /bin/find // -name .*history ( -links 2 -o -type l )
  so this chkrootkit process may have started these? As requested you can see some screenshots. Best

  0
• 

  magj

  • January 04, 2018 16:30

  I have renamed the folder and disabled the hourly cron and killed the process and it seems those processes are not starting again.

  0
• 

  rpvw

  • January 04, 2018 16:39

  That would make sense: Which commands does chkrootkit use? The following commands are used by the chkrootkit script: awk, cut, echo, egrep, find, head, id, ls, netstat, ps, strings, sed, uname
  See The chkrootkit FAQ for more

  0
• 

  magj

  • January 06, 2018 05:58

  Yes. Thanks anyway I have disabled and everything is back normal after some days. Best

  0

Please sign in to leave a comment.