Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Something strange? That i noticed while auditing a server

Discussion in 'Security' started by cwalke32477, Nov 4, 2011.

  1. cwalke32477

    cwalke32477 Well-Known Member

    Joined:
    Mar 2, 2010
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    56
    Location:
    Atlanta, Georgia
    cPanel Access Level:
    Root Administrator
    TOnight, as I was doing an account audit on one of my servers, I noticed my server load suddenyl spike. SO went to check out the spike, and noticed a process that was running as root. The cpanel process list showed a large of /home directories.
    SO I went to SSH and run TOP, and it shows root running a find command, with pretty much all my user accounts listed.

    Is it normal for cpanel to do this on it's own, or is this evidence of some sort of compromise? with the rash of website defacements going around these days, this had me concerned, as I had never seen it before.

    In my un-knowledgeable panic, I had promptly changed the root password, though "who" only showed me, and rebooted the server. I also went ahead and disabled all cgi-bin access, and SSH jailshell access.
    The process has not returned, as of yet.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #1 cwalke32477, Nov 4, 2011
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,608
    Likes Received:
    32
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Typically, find is used to locate files or folders of a certain type. It could have been running as part of the backup process to check for changed files. Was the cPanel backup running at the time? Was any other user logged into the system at the time?

    You can check any users logged in with this command:

    Code:
    w
    You can check if the cPanel backup is running with this command:

    Code:
    ps aux | grep cpbackup
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 cPanelTristan, Nov 4, 2011
  3. cwalke32477

    cwalke32477 Well-Known Member

    Joined:
    Mar 2, 2010
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    56
    Location:
    Atlanta, Georgia
    cPanel Access Level:
    Root Administrator
    I ran who, and no else was logged in but me.
    My backup's are only scheduled to run on weekends.
    No other backup processes like cpbackup or rsync were running at the time, either.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 cwalke32477, Nov 5, 2011
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,608
    Likes Received:
    32
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    In the future, run an lsof on the PID number of the process or processes to get more details:

    Code:
    lsof -p PID#
    Where you would replace PID# with the PID number of the process.

    Of note, if you suspect a compromise going forward, do not kill off the process or processes until you can grab as much data as possible on what is happening. You can always submit a ticket with us so we can confirm that the server is compromised. We cannot correct or fix a compromised system, but we can indeed review the process or processes to see if that is what we suspect.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 cPanelTristan, Nov 6, 2011
(You must log in or sign up to post here.)
Loading...
Similar Threads - Something strange noticed
  1. schatzman

    Something very strange with php.ini load setting

    schatzman, Jun 15, 2017, in forum: General Discussion
    Replies:
    4
    Views:
    996
    KarolosW
    Jul 14, 2017
  2. ItsMattSon

    SOLVED Something went wrong while saving this configuration: Validate class not found from basename

    ItsMattSon, Jan 31, 2018, in forum: General Discussion
    Replies:
    2
    Views:
    1,012
    cPanelMichael
    Feb 1, 2018
  3. jfall123

    Something has been switching my dedicated IPs to shared lately..

    jfall123, Sep 26, 2017, in forum: General Discussion
    Replies:
    2
    Views:
    295
    jfall123
    Sep 26, 2017
  4. tui

    Email Cluster or something similar

    tui, Sep 4, 2017, in forum: E-mail Discussion
    Replies:
    5
    Views:
    846
    cPanelMichael
    Sep 6, 2017
  5. rinkleton

    Something weird with auto SSLs

    rinkleton, Jul 11, 2017, in forum: Security
    Replies:
    4
    Views:
    423
    cPanelMichael
    Jul 12, 2017

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice