Know where the files are in the processes

Operating System & Version
Centos 7
cPanel & WHM Version
88.0.13

cPAdminsMichael

Well-Known Member
Dec 19, 2016
129
40
103
Denmark
cPanel Access Level
Root Administrator
Quickest way is to do a ps I think:

ps -ef |grep python
 

Insidesign

Member
Nov 23, 2016
13
0
1
Brazil
cPanel Access Level
DataCenter Provider
Hello,


Thanks for the answer.

It appears, as you can see in the image, but I was wondering where the port2.py, send.py and reverseping.py file is so that I could delete it, and it doesn't show the path of the file that is being executed.


thanks
 

Attachments

cPAdminsMichael

Well-Known Member
Dec 19, 2016
129
40
103
Denmark
cPanel Access Level
Root Administrator
Ah yes, sorry. WOW, lot of bad activities going on with your server!

You can see files opened by a given process with lsof -p PID.
So fx. that would be lsof -p 4081

BUT - You can also see that parent of 4081 is 3719 which is a shell script running curl, downloading a script, which is unzipped and executed.
Seems as both account contabil and cartucha is compromised.

You may also want to run ImunifyAV - which is now included in your cPanel license - to find malware and malicious files
 

Insidesign

Member
Nov 23, 2016
13
0
1
Brazil
cPanel Access Level
DataCenter Provider
Hello,


Thanks for the answer.


I found, it seems that the client's website is with some vulnerability that places the file in the / tmp / directory and executes the file (see attached image)

As I am going to have to ask the customer to check, is there any way I can prevent this from happening until the customer asks to check his website?


thanks
 

Attachments

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,252
313
Houston
Ok, that's not what you asked at all so I believe I am confused. It's a lot more difficult to block the process from running than it is to just outright remove the file executing it or change its permissions to 000