Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED suspect root process running

Discussion in 'Security' started by joaosavioli, Dec 23, 2016.

  1. joaosavioli

    joaosavioli Well-Known Member

    Joined:
    Feb 7, 2008
    Messages:
    49
    Likes Received:
    10
    Trophy Points:
    58
    Hello,

    Yesterday morning I could see a suspect process running in my server. Here is the process:
    root 31276 0.0 0.0 124396 2496 ? SN 06:33 0:00 /usr/local/cpanel/3rdparty/perl/522/bin/perl -C0 -e use Fcntl;?$SIG{HUP}=sub{exit};?if ( my $fn=shift ) {? sysopen(my $fh, qq{$fn}, O_WRONLY|O_CREAT|O_EXCL) or die $!;? print {$fh} $$;? close $fh;?}?my $buf; while (sysread(STDIN, $buf, 2048)) {? syswrite(STDOUT, $buf); syswrite(STDERR, $buf);?}? /tmp/EXdKDCgC_f

    Is this process ran successed?
    Is there any way to know if my root is compromissed?

    Thank you for help!
    Joao
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,491
    Likes Received:
    1,964
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    It looks like you've opened a support ticket for this issue, #8077941. Please update us with the outcome of the ticket once it's closed.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. joaosavioli

    joaosavioli Well-Known Member

    Joined:
    Feb 7, 2008
    Messages:
    49
    Likes Received:
    10
    Trophy Points:
    58
    Hello,

    Yes, I´ll update.

    I´ve ran the chkrootkit and found this:
    You have 2 process hidden for ps command
    chkproc: Warning: Possible LKM Trojan installed
    Checking `sniffer'... eth0: PF_PACKET(/usr/sbin/lldpad)
    eth0:cp1: PF_PACKET(/usr/sbin/lldpad)

    Is it a problem?

    Best regards
    Joao
     
  4. joaosavioli

    joaosavioli Well-Known Member

    Joined:
    Feb 7, 2008
    Messages:
    49
    Likes Received:
    10
    Trophy Points:
    58
    Hello,

    Today morning I received this update.
    The case is closed.

    Thank you
    Joao
     
    #4 joaosavioli, Dec 27, 2016
    Last edited by a moderator: Dec 27, 2016
    cPanelMichael likes this.
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,585
    Likes Received:
    440
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Thanks for updating the thread with the outcome.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice