Checking `bindshell'... INFECTED (PORTS: 465 45454)

[email protected]

Well-Known Member
Aug 3, 2016
52
5
8
Everywhere
cPanel Access Level
Root Administrator
Hello,

Yesterday cPanel makes an update:
Package dhclient.x86_64 12:4.1.1-53.P1.el6.centos.3 will be updated
Package dhclient.x86_64 12:4.1.1-53.P1.el6.centos.4 will be an update
Package dhcp-common.x86_64 12:4.1.1-53.P1.el6.centos.3 will be updated
Package dhcp-common.x86_64 12:4.1.1-53.P1.el6.centos.4 will be an update

In my server I have chkrootkit run every day. In the same time with the update automatically the chkrootkit made the scan and for the first time I see this result:

Code:
Checking `bindshell'... INFECTED (PORTS:  465 45454)
I know the issue with the port 465 as false positive because exim listen there!

The problem is that today I have port 45454!!

I run these commands:

Code:
/usr/sbin/lsof -P -n -i | grep 45454
netstat -an | grep 45454
lsof -i :45454
But the port isn't there open or something...

Also today with the cPanel update automatically I have the follow update:
Code:
[comodo_litespeed] COMODO ModSecurity LiteSpeed Rule Set
archive_url | https://waf.comodo.com/api/cpanel_litespeed_vendor
cpanel_provided | 0
description | COMODO ModSecurity Rules for LiteSpeed
enabled | 1
inst_dist | comodo-litespeed-1165
installed | 1
installed_from | https://waf.comodo.com/doc/meta_comodo_litespeed.yaml
name | COMODO ModSecurity LiteSpeed Rule Set
path | /etc/apache2/conf.d/modsec_vendor_configs/comodo_litespeed
report_url | https://waf.comodo.com/api/cpanel_feedback?source=1&rule_set=1.165
supported_versions | (6)
vendor_id | comodo_litespeed
vendor_url | https://waf.comodo.com
As you can see I run litespeed. Please can help me to understand if that is a false positive or something goes too bad?

I can't find something listening on that port. The cPanel at the time of this update is possible for some reason to listen to port 45454 and then stops?

Any help is highly appreciated!!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Yesterday cPanel makes an update:
Package dhclient.x86_64 12:4.1.1-53.P1.el6.centos.3 will be updated
Package dhclient.x86_64 12:4.1.1-53.P1.el6.centos.4 will be an update
Package dhcp-common.x86_64 12:4.1.1-53.P1.el6.centos.3 will be updated
Package dhcp-common.x86_64 12:4.1.1-53.P1.el6.centos.4 will be an update
Hello,

Those updates actually come from your operating system as opposed to from cPanel & WHM. You can see a log of which packages are updated through YUM at:

/var/log/yum.log

I can't find something listening on that port. The cPanel at the time of this update is possible for some reason to listen to port 45454 and then stops?
Are you using the PortSentry or klaxon application? Chkrootkit notes the following on their FAQ page:

I'm running PortSentry/klaxon. What's wrong with the bindshell test?

If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).
Thank you.
 
  • Like
Reactions: [email protected]

[email protected]

Well-Known Member
Aug 3, 2016
52
5
8
Everywhere
cPanel Access Level
Root Administrator
Hello,

The yum packages that are updated are:
Code:
dhcp-common-4.1.1-53.P1.el6.centos.4.x86_64
dhclient-4.1.1-53.P1.el6.centos.4.x86_64
No I don't have PortSentry or klaxon application!

Yesterday I check again with chkrootkit and only port 465 was found as bindshell! Also today (as yesterday) all seems are ok and this specific port not exist!

The only port that I see (except those I now) is one port that UDP litespeed listen to.
Code:
lsof -i :42743
COMMAND     PID   USER   FD   TYPE    DEVICE SIZE/OFF NODE NAME
litespeed 15373 nobody   77u  IPv4 yyyyyyyyy      0t0  UDP *:42743

Is possible yesterday litespeed open port 45454 and chkrootkit notice me about? As I check litespeed open UDP port randomly...
I am not sure why that port is open but is the only port with the command netstat -tulpen OR netstat -tanp that I can found! Also this particular port doesn't have the LISTEN part and I don't have it in csf firewall...

Is something else that I can do to find out if something malicious happening? I check and scan entire server, logs etc and nothing unusual... It's too strange!

It's something else that I can do to investigate it further? Is possible for some reason chkrootkit show me false that port?

Any help is highly appreciated! Thank you!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Hello @[email protected],

I recommend browsing through /usr/local/apache/logs/access_log, /usr/local/apache/logs/error_log, and through the domain access logs in /usr/local/apache/domlogs/ to see if you notice anything related to that port near the time that process was running.

Additionally, I see you've opened a thread on the LiteSpeed support forums at:

Litespeed open second UDP port automatically without notification?

Please ensure to let us know the outcome should you receive helpful information there.

Thank you.
 
  • Like
Reactions: [email protected]

[email protected]

Well-Known Member
Aug 3, 2016
52
5
8
Everywhere
cPanel Access Level
Root Administrator
Hello @cPanelMichael ,

I check all the logs and the only one that I can say is possible to have something is:

Code:
104.128.xxx.xxx - - [TIME] "GET / HTTP/1.1" 200 111 "-" "www.probethenet.com scanner"
104.128.xxx.xxx - - [TIME] "HEAD /redirect.php HTTP/1.1" 404 0 "-" "www.probethenet.com scanner"
Is possible that scan trigger the chkrootkit?

Also at the same time:

Code:
TIME [ALERT] [Child: 14388] LiteSpeed/Version Enterprise starts successfully!
The same time with the above the chkrootkit make the daily cron...

Of course I will update here after the information of "random" UDP litespeed port open...

Also if it's possible I want your opinion about the possibility chkrootkit trigger false the port because of litespeed restart or the "scanner" - probethenet.

Thank you!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Of course I will update here after the information of "random" UDP litespeed port open...
Hello,

It looks like you've received a response to that thread:

The random UDP port is likely opened by the Asynchronize DNS resolver library used in the server. It should not cause any security issue. see if we can turn it off. it has nothing to do with QUIC.
Do you use the DNS Prefetch feature with LiteSpeed Cache? Here's a LiteSpeed link with more information about it:

WpW: DNS Prefetch with LiteSpeed Cache ⋆ LiteSpeed Blog

Thank you.
 
  • Like
Reactions: [email protected]

[email protected]

Well-Known Member
Aug 3, 2016
52
5
8
Everywhere
cPanel Access Level
Root Administrator
Hello @cPanelMichael ,

First of all thank you for the quick reply and the informative links!

Yes in 1 site on my server I have DNS Prefetch feature with LiteSpeed Cache!

So as the litespeed staff say should not cause any security issue. Seems that chkrootkit inform me that particular day for the port 45454 because of UDP random port... Because from the logs etc until now I can't find something else except UDP random ports of litespeed...

Also from that day chkrootkit never inform me for bindshell except the usual 465 port. I think a randomness of changed port trigger that alert.

I'll keep it closely and I hope nothing malicious really happened as I sayed until now nothing found.

Thank you for all! :)
 
  • Like
Reactions: cPanelMichael