[Resolved] Server Compromise Question

nootkan

Well-Known Member
Oct 25, 2006
134
5
168
I've been trying to track down this exploit on my server now for sometime with no luck and was wondering if anyone here has seen something similar and could maybe point me in the right direction? So far I've looked though my logs but cannot find any info that would lead me to the culprit. I am now starting to suspend my accounts one at a time to see if the exploit ceases, to try and narrow down the exact location. As I only have 20 accounts on the server it shouldn't take me long. Is there a better way to do this without inconveniencing my clients? Because my firewall is catching and blocking the attempts to connect to the outside ip address I feel I have time to try and find the exploit before reformatting the os on my server (last resort). Not to mention learn more about managing my own server as I have little experience in this area. I have also downloaded and run Maldet with no issues found. Below is my server info and the actual log notification about the exploit.

CENTOS 6.5 i686 standard
WHM 11.40.1 (build 11)
cPanel Version 11.40.1 (build 11)
Apache version 2.2.25
PHP version 5.3.27
MySQL version 5.5.35-cll
Perl version 5.10.1
Kernel version 2.6.32-358.18.1.el6.
Config Server Security & Firewall
Config Server Exploit Scanner
Config Server Mailscanner
Mod Security
Rootkit Hunter version 1.4.0
Chkrootkit
ClamAV
Maldet

Here is the log I see every hour of every day and my packet loss shows 600-1400 (From myip - 1440 packets to tcp(80)) on my ip address daily.
Time: Mon Feb 17 06:52:24 2014 -0800
UID: 99 (nobody)
Hits: 11

Sample of port hits:
Feb 17 06:51:03 myserver kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=myip DST=192.155.95.153 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31907 DF PROTO=TCP SPT=41831 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 UID=99 GID=99
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
I don't think this is malicious. It's just an apache process trying to fetch something from an HTTP server.

It looks like someone trying to update a wordpress theme, cyberchimps.com is the only site I see hosted on that IP.

bing.com/search?q=ip%3A192.155.95.153
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Hello :)

The logs you provided don't show any direct evidence of an exploit running on your server, as mentioned in the previous post. Is there anything else or any additional logs that lead you to believe your server has been exploited? Check to see if you can reproduce the log entries you provided by updating the wordpress theme for the account mentioned in the previous response by quizknows.

Thank you.
 

nootkan

Well-Known Member
Oct 25, 2006
134
5
168
I don't think this is malicious. It's just an apache process trying to fetch something from an HTTP server.

It looks like someone trying to update a wordpress theme, cyberchimps.com is the only site I see hosted on that IP.

bing.com/search?q=ip%3A192.155.95.153
Quizknows, thanks for your reply. Interesting when I checked whois I found the ip address info to be: United States Atlanta Linode there was no indication of cyberchimps what so ever. I happen to have an account with them as I purchase themes from them so I will definitely look into this further. I will also try your search string from now on when looking up an ip to determine the web site it is associated with. Many thanks.

- - - Updated - - -

Hello :)

The logs you provided don't show any direct evidence of an exploit running on your server, as mentioned in the previous post. Is there anything else or any additional logs that lead you to believe your server has been exploited? Check to see if you can reproduce the log entries you provided by updating the wordpress theme for the account mentioned in the previous response by quizknows.

Thank you.
cPanelMichael, thanks for your reply. No those were the only logs I could find and because I'm not that experienced yet with managing my server I was unable to fully understand what the logs were telling me. I made the assumption that a script was trying to connect with the dst ip and thought the worst. Relieved to hear it is not an exploit but probably a setting that got changed with an upgrade of a purchased theme by cyberchimps. I will start looking into this and check their forum also. Thanks again to both of you for helping me out. Much appreciated.
 

nootkan

Well-Known Member
Oct 25, 2006
134
5
168
Sorry for my tardiness in marking this resolved. It seems it was an issue with the Cyberchimps server trying to communicate through their upgrade process notification. The logs have now ceased. Thanks to all for helping me to understand what it was I was seeing in the logs.