Script shows attempts, am I safe or am I missing something?
I read the news just 4 hours after it was announced and ran the script, nothing compromised yet but suspicious session files were detected.
So removed every session file, changed the root password (only with access to WHM) and updated cPanel. When the kernel update was released for the other issue I also updated the OS and rebooted.
Yesterday I used the new script and then seen this:
[*] Scanning session files for injection indicators...
[ATTEMPT] Failed exploit attempt (badpass origin, token_denied, no auth markers, anomalous pass= line): /var/cpanel/sessions/raw/:eQk0YI8fcu5nXLSO
[ATTEMPT] Failed exploit attempt (badpass origin, token_denied, no auth markers, anomalous pass= line): /var/cpanel/sessions/raw/:Bdb0nMl4C8um4Up8
[ATTEMPT] Failed exploit attempt (badpass origin, token_denied, no auth markers, anomalous pass= line): /var/cpanel/sessions/raw/:LciXc9g7kaFwgLvy
And several more of these and then this at the end:
=================================================================
SESSION: /var/cpanel/sessions/raw/:eQk0YI8fcu5nXLSO
=================================================================
Findings:
[ATTEMPT ] Failed exploit attempt (badpass origin, token_denied, no auth markers, anomalous pass= line)
Same for the other session files.
Output of script:
CRITICAL findings: 0
WARNING findings: 0
ATTEMPT findings: 38
INFO findings: 0
Total : 38
I removed all session files and then total was 0.
Today checked again and got the same result, today it were 38 attempts.
So can I see this as just attempts and nothing to worry about? Or should these attempts also not be possible anymore and am I forgetting something?
-
Hey hey! If you just see "attempt" then you should be good. If you'd like us to confirm things you're always welcome to create a ticket.
1 -
Hello cPRex.
Thank you for the confirmation, it's indeed just attempt.
I probably can't create a ticket as the license is from the datacenter, not from CP directly. I keep monitoring it but only see attempts and also no root logins or su commands.
0 -
That's a good sign, then!
0 -
Yep, thanks!
0
Please sign in to leave a comment.
Comments
4 comments