SOLVED Malicious perl script on account

postcd

postcd

Well-Known Member
Oct 22, 2010
721
21
68
Hello, config server firewall reported that there is long time runing process under one of the cPanels: pastebin.com/05DVU7A6

So i wanted to ask how to discover which script it is that is running?

px ax|grep cpanelusername

does not return anything.

can not find any file with .pl extension or with name "proc" inside that cpanel

apache status also no luck

when doing ls /tmp /var/tmp|grep cpanelusername, i found that some binary or encoded file was injected into /var/tmp (flename: YoqFyWjYT*)

# crontab -l -u cpanelusername
SHELL="/usr/local/cpanel/bin/jailshell"
*/10 * * * * /var/tmp/YoqFyWjYT >/dev/null 2>&1
seems like someone been able to edit crontab for this userwhile this user password was unbreakable random one 13 characters + mixed incl. symbols, how is that possible?

I found running process with name "proc" with pid 11130, so i did:

Code: 
# lsof -p 11130
COMMAND  PID  USER  FD  TYPE  DEVICE SIZE/OFF  NODE NAME
httpd.pl 11130 cpanelusername  cwd  DIR  0,164  4096  40372564 /
httpd.pl 11130 cpanelusername  rtd  DIR  0,164  4096  40372564 /
httpd.pl 11130 cpanelusername  txt  REG  0,164  7184  40379766 /usr/bin/perl
httpd.pl 11130 cpanelusername  mem  REG  253,0  40379766 /usr/bin/perl (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  4326574 /usr/lib64/perl5/auto/File/Glob/Glob.so (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  4326602 /usr/lib64/perl5/auto/POSIX/POSIX.so (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  4326573 /usr/lib64/perl5/auto/Fcntl/Fcntl.so (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  4326837 /usr/lib64/perl5/auto/Socket/Socket.so (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  4326587 /usr/lib64/perl5/auto/IO/IO.so (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  40379714 /lib64/libfreebl3.so (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  40371002 /lib64/libc-2.12.so (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  40371541 /lib64/libpthread-2.12.so (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  40371683 /lib64/libutil-2.12.so (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  40371103 /lib64/libcrypt-2.12.so (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  40381006 /lib64/libm-2.12.so (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  40379827 /lib64/libdl-2.12.so (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  40381712 /lib64/libnsl-2.12.so (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  40383282 /lib64/libresolv-2.12.so (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  57282593 /usr/lib64/perl5/CORE/libperl.so (path dev=0,164)
httpd.pl 11130 cpanelusername  mem  REG  253,0  40370939 /lib64/ld-2.12.so (path dev=0,164)
httpd.pl 11130 cpanelusername  0r  CHR  1,3  0t0 1824410485 /dev/null
httpd.pl 11130 cpanelusername  1w  CHR  1,3  0t0 1824410485 /dev/null
httpd.pl 11130 cpanelusername  2w  CHR  1,3  0t0 1824410485 /dev/null
[B]httpd.pl 11130 cpanelusername  3u  IPv4 2434759493  0t0  TCP *:27450 (LISTEN)[/B]
username@srvname [/home/cpanelusername/www/domain.tld]# find ../ -name httpd.pl
username@srvname [/home/cpanelusername/www/domain.tld]# netstat -tlnp|grep 27
tcp  0  0 127.0.0.1:783  0.0.0.0:*  LISTEN  14667/perl
tcp  0  0 127.0.0.1:53  0.0.0.0:*  LISTEN  7300/named
tcp  0  0 127.0.0.1:953  0.0.0.0:*  LISTEN  7300/named
[B]tcp  0  0 0.0.0.0:27450  0.0.0.0:*  LISTEN  15519/proc[/B]
That process gets killed by firewall, but always new process appears:
Code: 
# ps auxf|grep proc
root  1890  0.0  0.0  45728  9424 ?  S  Nov17  0:38 queueprocd - wait to process a task
root  1997  0.0  0.0  79640 18452 ?  S  Nov17  1:00 cPhulkd - processor
root  12013  0.0  0.0  6444  696 pts/0  S+  20:38  0:00  \_ grep proc
[B]cpanelusername  11141  0.2  0.0  40540  6180 ?  Ss  20:37  0:00 proc[/B]
What are your ideas, what you would do to stop that and prevent that?

WHM latest, EA3, SuPHP. Thank You

I assume this would not happen if something like this would be in effect
 
Last edited by a moderator:
SysSachin

SysSachin

Well-Known Member
Aug 23, 2015
604
49
28
India
cPanel Access Level
Root Administrator
Twitter
I can see you have root access of your server so I will suggest you please scan your account with the maldet and clamAV scanner.

For maldet
Code: 
maldet -a /home/cPUSER/public_html/
And for clamAV
Code: 
clamscan -ir /home/cPUSER/public_html/ -v
 
  • Like
Reactions: postcd
postcd

postcd

Well-Known Member
Oct 22, 2010
721
21
68
That did not helped to prevent that process from repeatedly launching. :(
But it helped to find around 17 malicious php files, mainly in SimpleMachinesForum /cache/ folder.
 
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,267
463
Hello,

It's difficult to determine what's happening without access to the affected system to take a closer look. Feel free to open a support ticket using the link in my signature so we can take a closer look and determine if there's any obvious issues. More in-depth security scanning would require the assistance of a qualified system administrator:

System Administration Services | cPanel Forums

Thank you.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
R Potential malicious activity question Security 13
N malicious attacks that changed my cpanel password Security 3
J crawler looks malicious but attacker says not Security 2
A Malicious activity has been detected Security 1
B Is anyone here able to set up modsecurity so it scans file uploads in real time and rejects malicious ones. Security 1
Similar threads
Potential malicious activity question
malicious attacks that changed my cpanel password
crawler looks malicious but attacker says not
Malicious activity has been detected
Is anyone here able to set up modsecurity so it scans file uploads in real time and rejects malicious ones.
Top Bottom