should be "dhcpd cryptominer" or "dhpcd cryptominer"
Hi, everyone, when I run the tech-CSI script to scan my cPanel server, I found a negative item call "dhcpd cryptominer":
> Found evidence of the dhcpd cryptominer in /bin directory
\_ -rwxr-xr-x 1 root root 6087 Jan 18 18:14 getcontrolpaneluserspackages
When I search in google with key words "dhcpd cryptominer", google find nothing, and return the results with key words "dhpcd cryptominer" instead. I am very confused about this name, which one is correct ?
By the way, I am sure this file "/bin/getcontrolpaneluserspackages" is normal, it is part of CloudLinux system's "LVE Manager", you can find:
# grep getcontrolpaneluserspackages -r /usr/share/l.v.e-manager/
/usr/share/l.v.e-manager/commons/lib/clquota/__init__.py: GETPACKS = '/usr/bin/getcontrolpaneluserspackages'
/usr/share/l.v.e-manager/ispmanager/liblve1.1/addon/lvemanager/system.class.php: passthru ('/usr/bin/getcontrolpaneluserspackages --userid='.$UID);
-
According to Akamai's report on this piece of malware, you are correct it should be dhpcd .
As per https://github.com/CpanelInc/tech-CSI "As with any anti-malware scanning system false positives may occur. If anything suspicious is found, it should be investigated by a professional security consultant. There are never any guarantees" - the getcontrolpaneluserspackages does appear to be part of CloudLinux and hence this is probably a false-positive (the code is only checking for files in */bin/* consisting of 26 characters+ in length).
I've opened a bug report on the Github repository for you about this (and proposed a fix for the above) as I see tech-CSI as more an "unofficial/unsupported" piece of software which just happens to be provided by cPanel Inc - but it isn't part of the cPanel WHM "toolkit".
0 -
Hi rbairwell, thanks very much for your information.
0
Please sign in to leave a comment.
Comments
2 comments