Know where the files are in the processes

Insidesign · Jul 22, 2020

Hello,

There are some malicious processes on the server (see image) and I would like to know where is the file that is not running so I can delete it.

How can I find that out?

thanks

cPAdminsMichael · Jul 22, 2020

Quickest way is to do a ps I think:

ps -ef |grep python

Insidesign · Jul 22, 2020

Hello,

Thanks for the answer.

It appears, as you can see in the image, but I was wondering where the port2.py, send.py and reverseping.py file is so that I could delete it, and it doesn't show the path of the file that is being executed.

thanks

cPAdminsMichael · Jul 22, 2020

Ah yes, sorry. WOW, lot of bad activities going on with your server!

You can see files opened by a given process with lsof -p PID.
So fx. that would be lsof -p 4081

BUT - You can also see that parent of 4081 is 3719 which is a shell script running curl, downloading a script, which is unzipped and executed.
Seems as both account contabil and cartucha is compromised.

You may also want to run ImunifyAV - which is now included in your cPanel license - to find malware and malicious files

Insidesign · Jul 22, 2020

Hello,

Thanks for the answer.

I found, it seems that the client's website is with some vulnerability that places the file in the / tmp / directory and executes the file (see attached image)

As I am going to have to ask the customer to check, is there any way I can prevent this from happening until the customer asks to check his website?

thanks

cPanelLauren · Jul 22, 2020

So that process that's running is not reverseping.py it's reversebing.py and it looks like you found lsof which would give you exactly what you need.

Insidesign · Jul 22, 2020

Hello,

Yes, but what I wanted to know is if you can block these processes on the server until the client checks for vulnerabilities on his website.

thanks

cPanelLauren · Jul 22, 2020

Ok, that's not what you asked at all so I believe I am confused. It's a lot more difficult to block the process from running than it is to just outright remove the file executing it or change its permissions to 000

Thread starter	Similar threads	Forum	Replies	Date
M	SSL certificate for mail server only (A record is pointed elsewhere)	Security	5	Feb 22, 2023
D	Where does cPanel add the Content-Security-Policy (CSP) header?	Security	3	Jun 15, 2020
C	SOLVED Where should custom bash files go for root?	Security	2	Feb 10, 2018
A	SSL, where must i place my files?	Security	4	Mar 29, 2005
N	Where do ssl served files go?	Security	15	May 30, 2003

Search

Search

Know where the files are in the processes

Insidesign

Member

Attachments

cPAdminsMichael

Well-Known Member

Insidesign

Member

Attachments

cPAdminsMichael

Well-Known Member

Insidesign

Member

Attachments

cPanelLauren

Product Owner II

Insidesign

Member

cPanelLauren

Product Owner II