The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED suspect root process running

Discussion in 'Security' started by joaosavioli, Dec 23, 2016.

  1. joaosavioli

    joaosavioli Member

    Joined:
    Feb 7, 2008
    Messages:
    24
    Likes Received:
    5
    Trophy Points:
    53
    Hello,

    Yesterday morning I could see a suspect process running in my server. Here is the process:
    root 31276 0.0 0.0 124396 2496 ? SN 06:33 0:00 /usr/local/cpanel/3rdparty/perl/522/bin/perl -C0 -e use Fcntl;?$SIG{HUP}=sub{exit};?if ( my $fn=shift ) {? sysopen(my $fh, qq{$fn}, O_WRONLY|O_CREAT|O_EXCL) or die $!;? print {$fh} $$;? close $fh;?}?my $buf; while (sysread(STDIN, $buf, 2048)) {? syswrite(STDOUT, $buf); syswrite(STDERR, $buf);?}? /tmp/EXdKDCgC_f

    Is this process ran successed?
    Is there any way to know if my root is compromissed?

    Thank you for help!
    Joao
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,029
    Likes Received:
    1,277
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    It looks like you've opened a support ticket for this issue, #8077941. Please update us with the outcome of the ticket once it's closed.

    Thank you.
     
  3. joaosavioli

    joaosavioli Member

    Joined:
    Feb 7, 2008
    Messages:
    24
    Likes Received:
    5
    Trophy Points:
    53
    Hello,

    Yes, I´ll update.

    I´ve ran the chkrootkit and found this:
    You have 2 process hidden for ps command
    chkproc: Warning: Possible LKM Trojan installed
    Checking `sniffer'... eth0: PF_PACKET(/usr/sbin/lldpad)
    eth0:cp1: PF_PACKET(/usr/sbin/lldpad)

    Is it a problem?

    Best regards
    Joao
     
  4. joaosavioli

    joaosavioli Member

    Joined:
    Feb 7, 2008
    Messages:
    24
    Likes Received:
    5
    Trophy Points:
    53
    Hello,

    Today morning I received this update.
    The case is closed.

    Thank you
    Joao
     
    #4 joaosavioli, Dec 27, 2016
    Last edited by a moderator: Dec 27, 2016
    cPanelMichael likes this.
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,617
    Likes Received:
    296
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Thanks for updating the thread with the outcome.
     
Loading...

Share This Page