Something strange? That i noticed while auditing a server

cwalke32477

Well-Known Member
Mar 2, 2010
94
0
56
Atlanta, Georgia
cPanel Access Level
Root Administrator
TOnight, as I was doing an account audit on one of my servers, I noticed my server load suddenyl spike. SO went to check out the spike, and noticed a process that was running as root. The cpanel process list showed a large of /home directories.
SO I went to SSH and run TOP, and it shows root running a find command, with pretty much all my user accounts listed.

example= 12158 root 30 15 12948 3160 660 D 3.7 0.0 0:06.84 /usr/bin/find /home/xxxxx/public_html /home/xxxxxx/public_html /home/xxxxx/public_html /home/xx...
Is it normal for cpanel to do this on it's own, or is this evidence of some sort of compromise? with the rash of website defacements going around these days, this had me concerned, as I had never seen it before.

In my un-knowledgeable panic, I had promptly changed the root password, though "who" only showed me, and rebooted the server. I also went ahead and disabled all cgi-bin access, and SSH jailshell access.
The process has not returned, as of yet.
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
41
348
somewhere over the rainbow
cPanel Access Level
Root Administrator
Typically, find is used to locate files or folders of a certain type. It could have been running as part of the backup process to check for changed files. Was the cPanel backup running at the time? Was any other user logged into the system at the time?

You can check any users logged in with this command:

Code:
w
You can check if the cPanel backup is running with this command:

Code:
ps aux | grep cpbackup
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
41
348
somewhere over the rainbow
cPanel Access Level
Root Administrator
In the future, run an lsof on the PID number of the process or processes to get more details:

Code:
lsof -p PID#
Where you would replace PID# with the PID number of the process.

Of note, if you suspect a compromise going forward, do not kill off the process or processes until you can grab as much data as possible on what is happening. You can always submit a ticket with us so we can confirm that the server is compromised. We cannot correct or fix a compromised system, but we can indeed review the process or processes to see if that is what we suspect.