Something changing sysctl.conf?

[vag mor]

hello to all
i just sign up in the forum
i have been probably been hacked and i would like to ask if anyone has seen something similar...
my sysctl.conf file keeps changing and removes some directives, especialy those that hardens the kernel
i try to use the audit tool to find who changes the file and i came up with those logs

type=PROCTITLE msg=audit(1552658461.599:668254): proctitle=2F7573722F6C6F63616C2F6370616E656C2F33726470617274792F62696E2F706870002F7573722F6C6F63616C2F6370616E656C2F77686F73746D67722F646F63726F6F742F77686D736F6E69632F757067726164652E706870
type=PATH msg=audit(1552658461.599:668254): item=1 name="/etc/sysctl.conf" inode=15412 dev=ca:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1552658461.599:668254): item=0 name="/etc/" inode=16386 dev=ca:01 mode=040755 ouid=0 ogid=0 rdev=00:00 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1552658461.599:668254): cwd="/root"
type=SYSCALL msg=audit(1552658461.599:668254): arch=c000003e syscall=2 success=no exit=-13 a0=7ffe48edd0f0 a1=241 a2=1b6 a3=2 items=2 ppid=3008851 pid=3008857 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=50993 comm="php" exe="/usr/local/cpanel/3rdparty/php/72/bin/php" key=(null)

time->Fri Mar 15 16:01:01 2019
type=PROCTITLE msg=audit(1552658461.613:668261): proctitle=7368002D63006563686F202766732E70726F7465637465645F73796D6C696E6B735F637265617465203D203027203E3E202F6574632F73797363746C2E636F6E663B
type=PATH msg=audit(1552658461.613:668261): item=1 name="/etc/sysctl.conf" inode=15412 dev=ca:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1552658461.613:668261): item=0 name="/etc/" inode=16386 dev=ca:01 mode=040755 ouid=0 ogid=0 rdev=00:00 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1552658461.613:668261): cwd="/root"
type=SYSCALL msg=audit(1552658461.613:668261): arch=c000003e syscall=2 success=no exit=-13 a0=1c30eb0 a1=441 a2=1b6 a3=0 items=2 ppid=3008857 pid=3008925 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=50993 comm="sh" exe="/usr/bin/bash" key=(null)

these entries repeats every few minutes
is there a way to find out if there is a script in my server that edit the file or if an account is hacked?
For the time i have make the file immutable chattr +i and it seems it is ok for now but i need to find the source of the problem
P.S. sorry for my English it is not my native language

 

[cPanelLauren]

Hi @vag mor

Based on that output it would appear that the root use uid/gid 0 is making the modifications to that file. To rule out root level compromise I'd suggest opening a ticket so we can let you know. If you are root compromised the safest and really, the only solution would be to migrate to a new server.

Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!

 

[vag mor]

thanks for your reply
the ticket id is 11729935

 

[cPanelLauren]

Hi @vag mor

Great, I've noted the ticket and I'm following it. I'll update here with any further information or when the issue is resolved.

Thanks!

 

[cPanelLauren]

Hello,


I checked in on this ticket and it looks like the analyst working on it found that the 3rd party software whmsonic had modified the sysctl.conf. Just to be sure though I've had the ticket reopened to be looked over by one of our L3 analysts. I'll update further with the result of that investigation.


Thanks!