The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Multiple Messages with "kthread" Errors & Multiple "Port Hits"

Discussion in 'Security' started by russelld, Nov 2, 2014.

  1. russelld

    russelld Member

    Joined:
    Apr 10, 2014
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    2 issues:

    I have been getting the following messages from my server almost every 60 seconds or so and have no idea what to do???


    Code:
    Time:    Sun Nov  2 22:38:44 2014 -0600
    PID:     5067 (Parent PID:5067)
    Account: {EDIT}
    Uptime:  41214 seconds
    
    
    Executable:
    
    /home/{EDIT}/.lesshts/kthread
    
    
    Command Line (often faked in exploits):
    
    kthread

    -------------------------

    I am also getting messages like these every minute with the subject line "lfd on master.domain.com: UID 588 ({EDIT USERNAME}) Tracking Hit"

    Code:
    Time:    Sun Nov  2 22:44:37 2014 -0600
    UID:     588 ({EDIT USERNAME})
    Hits:    11
    
    Sample of port hits:
    Nov  2 22:43:42 master kernel: [41682.676474] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=MYSERVERIP.ADDRESS DST=93.174.93.80 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=16258 DF PROTO=TCP SPT=46544 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 UID=588 GID=599
    Nov  2 22:43:48 master kernel: [41688.680950] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=MYSERVERIP.ADDRESS DST=93.174.93.80 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=171 DF PROTO=TCP SPT=46551 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 UID=588 GID=599
    Nov  2 22:43:52 master kernel: [41692.680454] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=MYSERVERIP.ADDRESS DST=93.174.93.80 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=172 DF PROTO=TCP SPT=46551 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 UID=588 GID=599
    Nov  2 22:43:58 master kernel: [41698.683236] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=MYSERVERIP.ADDRESS DST=89.248.168.139 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30636 DF PROTO=TCP SPT=52120 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 UID=588 GID=599
    Nov  2 22:44:02 master kernel: [41702.683232] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=MYSERVERIP.ADDRESS DST=89.248.168.139 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30637 DF PROTO=TCP SPT=52120 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 UID=588 GID=599
    Nov  2 22:44:08 master kernel: [41708.687478] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=MYSERVERIP.ADDRESS DST=93.174.93.80 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9411 DF PROTO=TCP SPT=46568 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 UID=588 GID=599
    Nov  2 22:44:12 master kernel: [41712.687470] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=MYSERVERIP.ADDRESS DST=93.174.93.80 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9412 DF PROTO=TCP SPT=46568 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 UID=588 GID=599
    Nov  2 22:44:18 master kernel: [41718.690467] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=MYSERVERIP.ADDRESS DST=93.174.93.80 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=56070 DF PROTO=TCP SPT=46575 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 UID=588 GID=599
    Nov  2 22:44:22 master kernel: [41722.690475] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=MYSERVERIP.ADDRESS DST=93.174.93.80 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=56071 DF PROTO=TCP SPT=46575 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 UID=588 GID=599
    Nov  2 22:44:28 master kernel: [41728.710515] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=MYSERVERIP.ADDRESS DST=93.174.93.80 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60572 DF PROTO=TCP SPT=46583 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 UID=588 GID=599
    Nov  2 22:44:32 master kernel: [41732.710480] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=MYSERVERIP.ADDRESS DST=93.174.93.80 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60573 DF PROTO=TCP SPT=46583 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 UID=588 GID=599
     
    #1 russelld, Nov 2, 2014
    Last edited: Nov 2, 2014
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    I can see your user file /home/USER/.lesshts/kthread is taking long time to execute and that is the reason you are getting these mail alert from LFD, I will suggest scan your account through LMD and delete the infected files. Also check your kthread file.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I have moved this thread to our "Security" forum for further discussion. Note that you may also want to post your question to the CSF support forums as sometimes you will receive more user feedback for their software at their forums.

    Thank you.
     
  4. oswgarcia

    oswgarcia Member

    Joined:
    Oct 1, 2014
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    Hello All,

    Do you have an update on this, I am getting the same problem with more than 20 servers, it seems to be that all of them are compromised, the five top process are showing Kthread as follow:

    10566 user 25 0 172 100 0 R 29.0 0.0 135:44.61 kthread
    10514 user 25 0 2268 2196 0 R 26.1 0.1 249:36.44 kthread
    10575 user 25 0 2268 2196 0 R 25.4 0.1 269:34.81 kthread
    10564 user 25 0 2268 2200 0 R 19.9 0.1 255:25.32 kthread
    10530 user 25 0 172 100 0 R 17.9 0.0 141:48.42 kthread

    I dig a little bit with a lsof and found this for example:

    COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
    kthread 10566 user cwd DIR 0,22 4096 12173448 /home/user
    kthread 10566 user rtd DIR 8,1 4096 2 /
    kthread 10566 user txt REG 0,22 35636 36389745 /home/user/.lesshts/kthread
    kthread 10566 user 0r FIFO 0,6 0t0 18194 pipe



    Do you have an idea what could be the problem, I am suspending those 5 users as a temporal remediation.
     
  5. triantech

    triantech Well-Known Member

    Joined:
    Jul 1, 2014
    Messages:
    145
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Kochi, India, India
    cPanel Access Level:
    Root Administrator
    Hey oswgarcia,

    Just out of my curiosity, are your servers patched against the shellshock bug ?

    And also, can you find out if your server IP is making excessive connections to a specific IP's port 443 ?
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Something is most likely compromised, probably user passwords.

    Most shellshock stuff I've seen dumps into /tmp or /dev/shm, not a users homedir.

    Check last (lastlog) or /var/log/secure for any ssh logins to those accounts
     
  7. oswgarcia

    oswgarcia Member

    Joined:
    Oct 1, 2014
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner

    Thanks for your answers, we have discovered that the issue was related to the shellshock bug, we patched our servers when the bug came out but for any reason some accounts were not updated.

    We have patched again all our servers and it seems to be the issue is now resolved. I have not seen more kernel threads running on home user directories.

    Thanks,
     
  8. triantech

    triantech Well-Known Member

    Joined:
    Jul 1, 2014
    Messages:
    145
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Kochi, India, India
    cPanel Access Level:
    Root Administrator
    russelld,

    Do you have any update on this ? Can you please let us know if you spotted something ?
     
Loading...

Share This Page