SOLVED Malicious perl script on account

postcd

Well-Known Member
Oct 22, 2010
721
21
68
Hello, config server firewall reported that there is long time runing process under one of the cPanels: pastebin.com/05DVU7A6

So i wanted to ask how to discover which script it is that is running?

px ax|grep cpanelusername

does not return anything.

can not find any file with .pl extension or with name "proc" inside that cpanel

apache status also no luck

when doing ls /tmp /var/tmp|grep cpanelusername, i found that some binary or encoded file was injected into /var/tmp (flename: YoqFyWjYT*)

# crontab -l -u cpanelusername
SHELL="/usr/local/cpanel/bin/jailshell"
*/10 * * * * /var/tmp/YoqFyWjYT >/dev/null 2>&1
seems like someone been able to edit crontab for this userwhile this user password was unbreakable random one 13 characters + mixed incl. symbols, how is that possible?

I found running process with name "proc" with pid 11130, so i did:

Code:
# lsof -p 11130
COMMAND  PID  USER  FD  TYPE  DEVICE SIZE/OFF  NODE NAME
httpd.pl 11130 cpanelusername  cwd  DIR  0,164  4096  40372564 /
httpd.pl 11130 cpanelusername  rtd  DIR  0,164  4096  40372564 /
httpd.pl 11130 cpanelusername  txt  REG  0,164  7184  40379766 /usr/bin/perl
httpd.pl 11130 cpanelusername  mem  REG  253,0  40379766 /usr/bin/perl (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  4326574 /usr/lib64/perl5/auto/File/Glob/Glob.so (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  4326602 /usr/lib64/perl5/auto/POSIX/POSIX.so (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  4326573 /usr/lib64/perl5/auto/Fcntl/Fcntl.so (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  4326837 /usr/lib64/perl5/auto/Socket/Socket.so (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  4326587 /usr/lib64/perl5/auto/IO/IO.so (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  40379714 /lib64/libfreebl3.so (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  40371002 /lib64/libc-2.12.so (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  40371541 /lib64/libpthread-2.12.so (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  40371683 /lib64/libutil-2.12.so (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  40371103 /lib64/libcrypt-2.12.so (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  40381006 /lib64/libm-2.12.so (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  40379827 /lib64/libdl-2.12.so (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  40381712 /lib64/libnsl-2.12.so (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  40383282 /lib64/libresolv-2.12.so (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  57282593 /usr/lib64/perl5/CORE/libperl.so (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  40370939 /lib64/ld-2.12.so (path dev=0,164)
httpd.pl 11130 cpanelusername  0r  CHR  1,3  0t0 1824410485 /dev/null
httpd.pl 11130 cpanelusername  1w  CHR  1,3  0t0 1824410485 /dev/null
httpd.pl 11130 cpanelusername  2w  CHR  1,3  0t0 1824410485 /dev/null
[B]httpd.pl 11130 cpanelusername  3u  IPv4 2434759493  0t0  TCP *:27450 (LISTEN)[/B]
[email protected] [/home/cpanelusername/www/domain.tld]# find ../ -name httpd.pl
[email protected] [/home/cpanelusername/www/domain.tld]# netstat -tlnp|grep 27
tcp  0  0 127.0.0.1:783  0.0.0.0:*  LISTEN  14667/perl
tcp  0  0 127.0.0.1:53  0.0.0.0:*  LISTEN  7300/named
tcp  0  0 127.0.0.1:953  0.0.0.0:*  LISTEN  7300/named
[B]tcp  0  0 0.0.0.0:27450  0.0.0.0:*  LISTEN  15519/proc[/B]
That process gets killed by firewall, but always new process appears:
Code:
# ps auxf|grep proc
root  1890  0.0  0.0  45728  9424 ?  S  Nov17  0:38 queueprocd - wait to process a task
root  1997  0.0  0.0  79640 18452 ?  S  Nov17  1:00 cPhulkd - processor
root  12013  0.0  0.0  6444  696 pts/0  S+  20:38  0:00  \_ grep proc
[B]cpanelusername  11141  0.2  0.0  40540  6180 ?  Ss  20:37  0:00 proc[/B]
What are your ideas, what you would do to stop that and prevent that?

WHM latest, EA3, SuPHP. Thank You

I assume this would not happen if something like this would be in effect
 
Last edited by a moderator:

SysSachin

Well-Known Member
Aug 23, 2015
604
49
28
India
cPanel Access Level
Root Administrator
Twitter
I can see you have root access of your server so I will suggest you please scan your account with the maldet and clamAV scanner.

For maldet
Code:
maldet -a /home/cPUSER/public_html/
And for clamAV
Code:
clamscan -ir /home/cPUSER/public_html/ -v
 
  • Like
Reactions: postcd

postcd

Well-Known Member
Oct 22, 2010
721
21
68
That did not helped to prevent that process from repeatedly launching. :(
But it helped to find around 17 malicious php files, mainly in SimpleMachinesForum /cache/ folder.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Hello,

It's difficult to determine what's happening without access to the affected system to take a closer look. Feel free to open a support ticket using the link in my signature so we can take a closer look and determine if there's any obvious issues. More in-depth security scanning would require the assistance of a qualified system administrator:

System Administration Services | cPanel Forums

Thank you.