Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Account infected with malware script

Discussion in 'Security' started by sepehrmm, Nov 18, 2017.

  1. sepehrmm

    sepehrmm Member

    Joined:
    Dec 16, 2014
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I'm posting this thread for the sake of awareness about raise of mining maleware scripts.

    I own a VPS with WHM installed and serving 50+ accounts, today I recieved an email saying a process related to processing statistics and bandwidth data has failed and stalled and in the email body there was mention to other top cpu utilized scripts which included this suspicious script which is making the server have a 3.8 load on a 4 core VPS (smart enough not to go over 100% :) ):
    /tmp/phpNv0NqF_xvj7psyoaiw7jbi6 -c /tmp/phpNv0NqF.c

    /tmp/phpNv0NqF.c:
    threads = 2
    mine=stratum+tcp://46Q6XfsiKDZfjy3nVfm1XmiLh1JXSYfd9AF5Jg1GFNQNHpH8ivz8b96KUoHxo8uupi8vrcosMHbxABwKxbVzEThhRfNEHFA:x@xmr.crypto-pool.fr:3333/xmr

    the other file is just a binary:
    # file /tmp/phpNv0NqF_xvj7psyoaiw7jbi6
    /tmp/phpNv0NqF_xvj7psyoaiw7jbi6: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, for GNU/Linux 2.6.24, stripped

    The interesting part is that the account which this binary is running under doesn't have shell access enabled at the first place so I guess my up to date server is vulnerable to a privilege escalation bug.
     
  2. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    822
    Likes Received:
    299
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Is this running in the /tmp folder under a user ( /home/<username>/tmp or /home/<username>/public_html/../tmp ) or is it in the server root /tmp ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,897
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Regarding PHP sessions in the /tmp directory, note the information in the following post:

    Is the new tmp folder safe?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice