Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED Malicious perl script on account

Discussion in 'Security' started by postcd, Dec 3, 2016.

  1. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    670
    Likes Received:
    11
    Trophy Points:
    68
    Hello, config server firewall reported that there is long time runing process under one of the cPanels: pastebin.com/05DVU7A6

    So i wanted to ask how to discover which script it is that is running?

    px ax|grep cpanelusername

    does not return anything.

    can not find any file with .pl extension or with name "proc" inside that cpanel

    apache status also no luck

    when doing ls /tmp /var/tmp|grep cpanelusername, i found that some binary or encoded file was injected into /var/tmp (flename: YoqFyWjYT*)

    # crontab -l -u cpanelusername
    SHELL="/usr/local/cpanel/bin/jailshell"
    */10 * * * * /var/tmp/YoqFyWjYT >/dev/null 2>&1
    seems like someone been able to edit crontab for this userwhile this user password was unbreakable random one 13 characters + mixed incl. symbols, how is that possible?

    I found running process with name "proc" with pid 11130, so i did:

    Code:
    # lsof -p 11130
    COMMAND  PID  USER  FD  TYPE  DEVICE SIZE/OFF  NODE NAME
    httpd.pl 11130 cpanelusername  cwd  DIR  0,164  4096  40372564 /
    httpd.pl 11130 cpanelusername  rtd  DIR  0,164  4096  40372564 /
    httpd.pl 11130 cpanelusername  txt  REG  0,164  7184  40379766 /usr/bin/perl
    httpd.pl 11130 cpanelusername  mem  REG  253,0  40379766 /usr/bin/perl (path dev=0,164)
    httpd.pl 11130 cpanelusername  mem  REG  253,0  4326574 /usr/lib64/perl5/auto/File/Glob/Glob.so (path dev=0,164)
    httpd.pl 11130 cpanelusername  mem  REG  253,0  4326602 /usr/lib64/perl5/auto/POSIX/POSIX.so (path dev=0,164)
    httpd.pl 11130 cpanelusername  mem  REG  253,0  4326573 /usr/lib64/perl5/auto/Fcntl/Fcntl.so (path dev=0,164)
    httpd.pl 11130 cpanelusername  mem  REG  253,0  4326837 /usr/lib64/perl5/auto/Socket/Socket.so (path dev=0,164)
    httpd.pl 11130 cpanelusername  mem  REG  253,0  4326587 /usr/lib64/perl5/auto/IO/IO.so (path dev=0,164)
    httpd.pl 11130 cpanelusername  mem  REG  253,0  40379714 /lib64/libfreebl3.so (path dev=0,164)
    httpd.pl 11130 cpanelusername  mem  REG  253,0  40371002 /lib64/libc-2.12.so (path dev=0,164)
    httpd.pl 11130 cpanelusername  mem  REG  253,0  40371541 /lib64/libpthread-2.12.so (path dev=0,164)
    httpd.pl 11130 cpanelusername  mem  REG  253,0  40371683 /lib64/libutil-2.12.so (path dev=0,164)
    httpd.pl 11130 cpanelusername  mem  REG  253,0  40371103 /lib64/libcrypt-2.12.so (path dev=0,164)
    httpd.pl 11130 cpanelusername  mem  REG  253,0  40381006 /lib64/libm-2.12.so (path dev=0,164)
    httpd.pl 11130 cpanelusername  mem  REG  253,0  40379827 /lib64/libdl-2.12.so (path dev=0,164)
    httpd.pl 11130 cpanelusername  mem  REG  253,0  40381712 /lib64/libnsl-2.12.so (path dev=0,164)
    httpd.pl 11130 cpanelusername  mem  REG  253,0  40383282 /lib64/libresolv-2.12.so (path dev=0,164)
    httpd.pl 11130 cpanelusername  mem  REG  253,0  57282593 /usr/lib64/perl5/CORE/libperl.so (path dev=0,164)
    httpd.pl 11130 cpanelusername  mem  REG  253,0  40370939 /lib64/ld-2.12.so (path dev=0,164)
    httpd.pl 11130 cpanelusername  0r  CHR  1,3  0t0 1824410485 /dev/null
    httpd.pl 11130 cpanelusername  1w  CHR  1,3  0t0 1824410485 /dev/null
    httpd.pl 11130 cpanelusername  2w  CHR  1,3  0t0 1824410485 /dev/null
    [B]httpd.pl 11130 cpanelusername  3u  IPv4 2434759493  0t0  TCP *:27450 (LISTEN)[/B]
    username@srvname [/home/cpanelusername/www/domain.tld]# find ../ -name httpd.pl
    username@srvname [/home/cpanelusername/www/domain.tld]# netstat -tlnp|grep 27
    tcp  0  0 127.0.0.1:783  0.0.0.0:*  LISTEN  14667/perl
    tcp  0  0 127.0.0.1:53  0.0.0.0:*  LISTEN  7300/named
    tcp  0  0 127.0.0.1:953  0.0.0.0:*  LISTEN  7300/named
    [B]tcp  0  0 0.0.0.0:27450  0.0.0.0:*  LISTEN  15519/proc[/B]
    That process gets killed by firewall, but always new process appears:
    Code:
    # ps auxf|grep proc
    root  1890  0.0  0.0  45728  9424 ?  S  Nov17  0:38 queueprocd - wait to process a task
    root  1997  0.0  0.0  79640 18452 ?  S  Nov17  1:00 cPhulkd - processor
    root  12013  0.0  0.0  6444  696 pts/0  S+  20:38  0:00  \_ grep proc
    [B]cpanelusername  11141  0.2  0.0  40540  6180 ?  Ss  20:37  0:00 proc[/B]
    
    What are your ideas, what you would do to stop that and prevent that?

    WHM latest, EA3, SuPHP. Thank You

    I assume this would not happen if something like this would be in effect
     
    #1 postcd, Dec 3, 2016
    Last edited by a moderator: Dec 3, 2016
  2. SysSachin

    SysSachin Well-Known Member

    Joined:
    Aug 23, 2015
    Messages:
    567
    Likes Received:
    40
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    I can see you have root access of your server so I will suggest you please scan your account with the maldet and clamAV scanner.

    For maldet
    Code:
    maldet -a /home/cPUSER/public_html/
    
    And for clamAV
    Code:
    clamscan -ir /home/cPUSER/public_html/ -v
    
     
    postcd likes this.
  3. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    670
    Likes Received:
    11
    Trophy Points:
    68
    That did not helped to prevent that process from repeatedly launching. :(
    But it helped to find around 17 malicious php files, mainly in SimpleMachinesForum /cache/ folder.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    It's difficult to determine what's happening without access to the affected system to take a closer look. Feel free to open a support ticket using the link in my signature so we can take a closer look and determine if there's any obvious issues. More in-depth security scanning would require the assistance of a qualified system administrator:

    System Administration Services | cPanel Forums

    Thank you.
     
Loading...

Share This Page