Operating System & Version
Cloudlinux 8
cPanel & WHM Version
11.96.0.8

Adnan RIHAN

Member
Jan 17, 2016
6
0
51
Devant mon écran
cPanel Access Level
Root Administrator
Few days ago, I saw this in `bash_history` while looking for something else:

539 2021-05-17 03:54:07 yum update php-libpng
540 2021-05-17 09:18:05 yum install john
541 2021-05-17 09:18:35 yum install john-the-ripper
542 2021-05-17 09:18:46 sudo yum install epel-release
543 2021-05-17 09:18:56 sudo yum install snapd
544 2021-05-17 09:19:03 sudo systemctl enable --now snapd.socket
545 2021-05-17 09:19:09 sudo ln -s /var/lib/snapd/snap /snap
546 2021-05-17 09:19:14 sudo snap install john-the-ripper
547 2021-05-17 09:19:58 unshadow /etc/passwd /etc/shadow > mypasswd.txt
548 2021-05-17 09:20:05 john
549 2021-05-17 09:21:19 unshadow
550 2021-05-17 09:21:27 john unshadow
551 2021-05-17 09:21:47 /usr/sbin/unshadow
552 2021-05-17 09:22:43 ls
553 2021-05-17 09:22:50 cd /etc/john*
554 2021-05-17 17:01:30 ( chkconfig cxswatch on; sed -i "s/cxswatch:0 cxswatch:1/" /etc/chkserv.d/chkservd.conf; )
539 being MY last action on the server, connected as root by private key, and 554 being ConfigServer installing their stuff and making configurations.

[[email protected] www]# who -a
démarrage système 2021-05-16 01:10
IDENTIFIANT tty1 2021-05-16 01:11 1934 id=tty1
niveau d'exécution 3 2021-05-16 01:11
root + pts/0 2021-05-19 11:12 . 2987011 (82.64.94.155)
pts/1 2021-05-18 23:09 2565543 id=/1 term=0 sortie=0
pts/2 2021-05-17 01:31 790573 id=/2 term=0 sortie=0
pts/1 2021-05-18 19:52 2356257 id=ts/1 term=0 sortie=0
pts/2 2021-05-17 17:08 1251035 id=ts/2 term=0 sortie=0
pts/3 2021-05-17 17:08 1251107 id=ts/3 term=0 sortie=0
pts/4 2021-05-17 17:01 1431009 id=/4 term=0 sortie=0
[[email protected] www]# zgrep -h sshd /var/log/secure-20210516 /var/log/secure-20210517.gz | grep -F 'Accepted'
# Truncated
May 9 22:35:46 phoebe sshd[153013]: Accepted publickey for root from MY_HOME_IP
May 10 11:34:26 phoebe sshd[498230]: Accepted publickey for root from MY_HOME_IP
May 11 00:07:50 phoebe sshd[978883]: Accepted publickey for root from MY_HOME_IP
May 11 21:53:27 phoebe sshd[2032266]: Accepted publickey for root from MY_HOME_IP
May 11 22:42:17 phoebe sshd[2056997]: Accepted publickey for root from CPANEL_IP1
May 12 02:14:11 phoebe sshd[2165520]: Accepted publickey for root from CPANEL_IP1
May 12 03:19:42 phoebe sshd[2198215]: Accepted publickey for root from CPANEL_IP1
May 12 10:57:11 phoebe sshd[2445876]: Accepted publickey for root from MY_HOME_IP
May 12 11:56:08 phoebe sshd[2479979]: Accepted publickey for root from CPANEL_IP2
May 13 18:30:27 phoebe sshd[3903110]: Accepted publickey for root from MY_HOME_IP
May 14 17:25:36 phoebe sshd[694978]: Accepted publickey for root from MY_HOME_IP
May 14 22:46:44 phoebe sshd[891802]: Accepted publickey for root from MY_HOME_IP
May 15 09:34:00 phoebe sshd[1298613]: Accepted publickey for root from MY_HOME_IP
May 15 21:17:01 phoebe sshd[1692601]: Accepted publickey for root from MY_HOME_IP
May 16 00:45:29 phoebe sshd[1814485]: Accepted publickey for root from MY_HOME_IP
May 16 01:00:54 phoebe sshd[7536]: Accepted publickey for root from MY_HOME_IP
May 16 01:15:29 phoebe sshd[4596]: Accepted publickey for root from MY_HOME_IP
May 17 11:56:56 phoebe sshd[1112647]: Accepted publickey for root from MY_HOME_IP
May 17 16:35:06 phoebe sshd[1250904]: Accepted publickey for root from CONFIGSERVER
May 17 16:35:22 phoebe sshd[1251035]: Accepted publickey for root from CONFIGSERVER
May 17 16:35:26 phoebe sshd[1251107]: Accepted publickey for root from CONFIGSERVER
From where I'm standing, first the hacker couldn't get his hand on anything as he couldn't execute JTR, I changed passwords immediately but don't think it will prevent another attempt. But he seems to come out of nowhere! There is no SSH connection, there is no suspected IP nor public key, there is no sudo group in sudoers.

Can someone give me a hint on where to look for an entry point please?
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
13,259
2,086
363
cPanel Access Level
Root Administrator
As @ffeingol said, the "last" command should give you output that looks like this:

Code:
root     pts/0        1.2.3.4     Mon May  3 10:25 - 06:06 (2+19:40)  
root     pts/0        1.2.3.4     Mon Apr 26 22:19 - 17:07 (1+18:47)  
reboot   system boot  3.10.0-1160.15.2 Mon Apr 26 22:18 - 10:34 (23+12:15)
root     pts/2        1.2.3.4     Fri Apr 23 16:10 - down  (3+06:06)  
root     pts/1        1.2.3.4    Fri Apr 23 16:02 - 18:16  (02:13)
Where "1.2.3.4" is the IP address of the user connecting to the server.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
13,259
2,086
363
cPanel Access Level
Root Administrator
While technically possible, if you use the Transfer Tool that is a secure method of moving the data between servers. If the compromised files were placed in a user account, then yes, those would also be moved.

If you aren't able to find more details it might be a good idea to work with a professional security administrator to do a thorough evaluation of the machine.