Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Account infected with malware script

Discussion in 'Security' started by sepehrmm, Nov 18, 2017.

  1. sepehrmm

    sepehrmm Member

    Joined:
    Dec 16, 2014
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I'm posting this thread for the sake of awareness about raise of mining maleware scripts.

    I own a VPS with WHM installed and serving 50+ accounts, today I recieved an email saying a process related to processing statistics and bandwidth data has failed and stalled and in the email body there was mention to other top cpu utilized scripts which included this suspicious script which is making the server have a 3.8 load on a 4 core VPS (smart enough not to go over 100% :) ):
    /tmp/phpNv0NqF_xvj7psyoaiw7jbi6 -c /tmp/phpNv0NqF.c

    /tmp/phpNv0NqF.c:
    threads = 2
    mine=stratum+tcp://46Q6XfsiKDZfjy3nVfm1XmiLh1JXSYfd9AF5Jg1GFNQNHpH8ivz8b96KUoHxo8uupi8vrcosMHbxABwKxbVzEThhRfNEHFA:x@xmr.crypto-pool.fr:3333/xmr

    the other file is just a binary:
    # file /tmp/phpNv0NqF_xvj7psyoaiw7jbi6
    /tmp/phpNv0NqF_xvj7psyoaiw7jbi6: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, for GNU/Linux 2.6.24, stripped

    The interesting part is that the account which this binary is running under doesn't have shell access enabled at the first place so I guess my up to date server is vulnerable to a privilege escalation bug.
     
  2. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    577
    Likes Received:
    176
    Trophy Points:
    43
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Is this running in the /tmp folder under a user ( /home/<username>/tmp or /home/<username>/public_html/../tmp ) or is it in the server root /tmp ?
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,437
    Likes Received:
    1,608
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Regarding PHP sessions in the /tmp directory, note the information in the following post:

    Is the new tmp folder safe?

    Thank you.
     
Loading...

Share This Page