Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Checking `bindshell'... INFECTED (PORTS: 465 45454)

Discussion in 'Security' started by net@work, May 16, 2018.

  1. net@work

    net@work Well-Known Member

    Joined:
    Aug 3, 2016
    Messages:
    46
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Everywhere
    cPanel Access Level:
    Root Administrator
    Hello,

    Yesterday cPanel makes an update:
    Package dhclient.x86_64 12:4.1.1-53.P1.el6.centos.3 will be updated
    Package dhclient.x86_64 12:4.1.1-53.P1.el6.centos.4 will be an update
    Package dhcp-common.x86_64 12:4.1.1-53.P1.el6.centos.3 will be updated
    Package dhcp-common.x86_64 12:4.1.1-53.P1.el6.centos.4 will be an update

    In my server I have chkrootkit run every day. In the same time with the update automatically the chkrootkit made the scan and for the first time I see this result:

    Code:
    Checking `bindshell'... INFECTED (PORTS:  465 45454)
    I know the issue with the port 465 as false positive because exim listen there!

    The problem is that today I have port 45454!!

    I run these commands:

    Code:
    /usr/sbin/lsof -P -n -i | grep 45454
    netstat -an | grep 45454
    lsof -i :45454
    But the port isn't there open or something...

    Also today with the cPanel update automatically I have the follow update:
    Code:
    [comodo_litespeed] COMODO ModSecurity LiteSpeed Rule Set
    archive_url | https://waf.comodo.com/api/cpanel_litespeed_vendor
    cpanel_provided | 0
    description | COMODO ModSecurity Rules for LiteSpeed
    enabled | 1
    inst_dist | comodo-litespeed-1165
    installed | 1
    installed_from | https://waf.comodo.com/doc/meta_comodo_litespeed.yaml
    name | COMODO ModSecurity LiteSpeed Rule Set
    path | /etc/apache2/conf.d/modsec_vendor_configs/comodo_litespeed
    report_url | https://waf.comodo.com/api/cpanel_feedback?source=1&rule_set=1.165
    supported_versions | (6)
    vendor_id | comodo_litespeed
    vendor_url | https://waf.comodo.com
    As you can see I run litespeed. Please can help me to understand if that is a false positive or something goes too bad?

    I can't find something listening on that port. The cPanel at the time of this update is possible for some reason to listen to port 45454 and then stops?

    Any help is highly appreciated!!
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,142
    Likes Received:
    1,932
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Those updates actually come from your operating system as opposed to from cPanel & WHM. You can see a log of which packages are updated through YUM at:

    /var/log/yum.log

    Are you using the PortSentry or klaxon application? Chkrootkit notes the following on their FAQ page:

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    net@work likes this.
  3. net@work

    net@work Well-Known Member

    Joined:
    Aug 3, 2016
    Messages:
    46
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Everywhere
    cPanel Access Level:
    Root Administrator
    Hello,

    The yum packages that are updated are:
    Code:
    dhcp-common-4.1.1-53.P1.el6.centos.4.x86_64
    dhclient-4.1.1-53.P1.el6.centos.4.x86_64
    No I don't have PortSentry or klaxon application!

    Yesterday I check again with chkrootkit and only port 465 was found as bindshell! Also today (as yesterday) all seems are ok and this specific port not exist!

    The only port that I see (except those I now) is one port that UDP litespeed listen to.
    Code:
    lsof -i :42743
    COMMAND     PID   USER   FD   TYPE    DEVICE SIZE/OFF NODE NAME
    litespeed 15373 nobody   77u  IPv4 yyyyyyyyy      0t0  UDP *:42743

    Is possible yesterday litespeed open port 45454 and chkrootkit notice me about? As I check litespeed open UDP port randomly...
    I am not sure why that port is open but is the only port with the command netstat -tulpen OR netstat -tanp that I can found! Also this particular port doesn't have the LISTEN part and I don't have it in csf firewall...

    Is something else that I can do to find out if something malicious happening? I check and scan entire server, logs etc and nothing unusual... It's too strange!

    It's something else that I can do to investigate it further? Is possible for some reason chkrootkit show me false that port?

    Any help is highly appreciated! Thank you!
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,142
    Likes Received:
    1,932
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @net@work,

    I recommend browsing through /usr/local/apache/logs/access_log, /usr/local/apache/logs/error_log, and through the domain access logs in /usr/local/apache/domlogs/ to see if you notice anything related to that port near the time that process was running.

    Additionally, I see you've opened a thread on the LiteSpeed support forums at:

    Litespeed open second UDP port automatically without notification?

    Please ensure to let us know the outcome should you receive helpful information there.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    net@work likes this.
  5. net@work

    net@work Well-Known Member

    Joined:
    Aug 3, 2016
    Messages:
    46
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Everywhere
    cPanel Access Level:
    Root Administrator
    Hello @cPanelMichael ,

    I check all the logs and the only one that I can say is possible to have something is:

    Code:
    104.128.xxx.xxx - - [TIME] "GET / HTTP/1.1" 200 111 "-" "www.probethenet.com scanner"
    104.128.xxx.xxx - - [TIME] "HEAD /redirect.php HTTP/1.1" 404 0 "-" "www.probethenet.com scanner"
    Is possible that scan trigger the chkrootkit?

    Also at the same time:

    Code:
    TIME [ALERT] [Child: 14388] LiteSpeed/Version Enterprise starts successfully!
    The same time with the above the chkrootkit make the daily cron...

    Of course I will update here after the information of "random" UDP litespeed port open...

    Also if it's possible I want your opinion about the possibility chkrootkit trigger false the port because of litespeed restart or the "scanner" - probethenet.

    Thank you!
     
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,142
    Likes Received:
    1,932
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    It looks like you've received a response to that thread:

    Do you use the DNS Prefetch feature with LiteSpeed Cache? Here's a LiteSpeed link with more information about it:

    WpW: DNS Prefetch with LiteSpeed Cache ⋆ LiteSpeed Blog

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    net@work likes this.
  7. net@work

    net@work Well-Known Member

    Joined:
    Aug 3, 2016
    Messages:
    46
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Everywhere
    cPanel Access Level:
    Root Administrator
    Hello @cPanelMichael ,

    First of all thank you for the quick reply and the informative links!

    Yes in 1 site on my server I have DNS Prefetch feature with LiteSpeed Cache!

    So as the litespeed staff say should not cause any security issue. Seems that chkrootkit inform me that particular day for the port 45454 because of UDP random port... Because from the logs etc until now I can't find something else except UDP random ports of litespeed...

    Also from that day chkrootkit never inform me for bindshell except the usual 465 port. I think a randomness of changed port trigger that alert.

    I'll keep it closely and I hope nothing malicious really happened as I sayed until now nothing found.

    Thank you for all! :)
     
    cPanelMichael likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice