Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Something changing sysctl.conf?

Discussion in 'General Discussion' started by vag mor, Mar 15, 2019.

  1. vag mor

    vag mor Registered

    Joined:
    Mar 15, 2019
    Messages:
    2
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Athens
    cPanel Access Level:
    Root Administrator
    hello to all
    i just sign up in the forum
    i have been probably been hacked and i would like to ask if anyone has seen something similar...
    my sysctl.conf file keeps changing and removes some directives, especialy those that hardens the kernel
    i try to use the audit tool to find who changes the file and i came up with those logs


    Code:
    type=PROCTITLE msg=audit(1552658461.599:668254): proctitle=2F7573722F6C6F63616C2F6370616E656C2F33726470617274792F62696E2F706870002F7573722F6C6F63616C2F6370616E656C2F77686F73746D67722F646F63726F6F742F77686D736F6E69632F757067726164652E706870
    type=PATH msg=audit(1552658461.599:668254): item=1 name="/etc/sysctl.conf" inode=15412 dev=ca:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
    type=PATH msg=audit(1552658461.599:668254): item=0 name="/etc/" inode=16386 dev=ca:01 mode=040755 ouid=0 ogid=0 rdev=00:00 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
    type=CWD msg=audit(1552658461.599:668254): cwd="/root"
    type=SYSCALL msg=audit(1552658461.599:668254): arch=c000003e syscall=2 success=no exit=-13 a0=7ffe48edd0f0 a1=241 a2=1b6 a3=2 items=2 ppid=3008851 pid=3008857 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=50993 comm="php" exe="/usr/local/cpanel/3rdparty/php/72/bin/php" key=(null)
    
    time->Fri Mar 15 16:01:01 2019
    type=PROCTITLE msg=audit(1552658461.613:668261): proctitle=7368002D63006563686F202766732E70726F7465637465645F73796D6C696E6B735F637265617465203D203027203E3E202F6574632F73797363746C2E636F6E663B
    type=PATH msg=audit(1552658461.613:668261): item=1 name="/etc/sysctl.conf" inode=15412 dev=ca:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
    type=PATH msg=audit(1552658461.613:668261): item=0 name="/etc/" inode=16386 dev=ca:01 mode=040755 ouid=0 ogid=0 rdev=00:00 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
    type=CWD msg=audit(1552658461.613:668261): cwd="/root"
    type=SYSCALL msg=audit(1552658461.613:668261): arch=c000003e syscall=2 success=no exit=-13 a0=1c30eb0 a1=441 a2=1b6 a3=0 items=2 ppid=3008857 pid=3008925 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=50993 comm="sh" exe="/usr/bin/bash" key=(null)
    these entries repeats every few minutes
    is there a way to find out if there is a script in my server that edit the file or if an account is hacked?
    For the time i have make the file immutable chattr +i and it seems it is ok for now but i need to find the source of the problem
    P.S. sorry for my English it is not my native language
     
  2. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    507
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @vag mor

    Based on that output it would appear that the root use uid/gid 0 is making the modifications to that file. To rule out root level compromise I'd suggest opening a ticket so we can let you know. If you are root compromised the safest and really, the only solution would be to migrate to a new server.

    Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. vag mor

    vag mor Registered

    Joined:
    Mar 15, 2019
    Messages:
    2
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Athens
    cPanel Access Level:
    Root Administrator
    thanks for your reply
    the ticket id is 11729935
     
    #3 vag mor, Mar 22, 2019
    Last edited by a moderator: Mar 22, 2019
    cPanelLauren likes this.
  4. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    507
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @vag mor

    Great, I've noted the ticket and I'm following it. I'll update here with any further information or when the issue is resolved.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    507
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello,


    I checked in on this ticket and it looks like the analyst working on it found that the 3rd party software whmsonic had modified the sysctl.conf. Just to be sure though I've had the ticket reopened to be looked over by one of our L3 analysts. I'll update further with the result of that investigation.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice