Suspicious domains in the Host Database

NabiKAZ

Active Member
Jun 18, 2007
25
1
53
I recently saw these suspicious items in the "mysql" database name and the "user and "db" tables in the "Host" column:
send.klaviyomsv.com
huffingtonpost.co.za
Are these domains and some other IPs normal here?


chrome_2vOp83N0z0.pngchrome_ht1EQFuY8y.pngchrome_nVBUFvjaKh.pngchrome_F9AOLoZ1M7.png
 
Last edited by a moderator:

Spirogg

Well-Known Member
Feb 21, 2018
695
151
43
chicago
cPanel Access Level
Root Administrator
I recently saw these suspicious items in the "mysql" database name and the "user and "db" tables in the "Host" column:
send.klaviyomsv.com
huffingtonpost.co.za
Are these domains and some other IPs normal here?


View attachment 75933View attachment 75937View attachment 75941View attachment 75945
is this your dedicated server? or shared or vps?
do these IP's belong to you?

do you know these domains
huffingtonpost.co.za
send.klaviyomsv.com

are these your domains? or do you have users accounts with these domains - sub-domains?

if its your server and not your ip's and users it is fishy.
if shared I would contact hosting provider to check this
 

Spirogg

Well-Known Member
Feb 21, 2018
695
151
43
chicago
cPanel Access Level
Root Administrator

NabiKAZ

Active Member
Jun 18, 2007
25
1
53
is this your dedicated server? or shared or vps?
It's VPS for shared hosting, and I'm admin with access root.

do these IP's belong to you?
These seem to be the server IPs of my previous years that are no longer available to me.

do you know these domains
huffingtonpost.co.za
send.klaviyomsv.com
are these your domains? or do you have users accounts with these domains - sub-domains?
No, I do not know these domains and there are no clients or sites with these domains hosted on my server.

do you have any accounts that have Klaviyo: Email & SMS Marketing Automation Platformhttps://www.klaviyo.com › ... › Customer Help
this seems to be an email platform. maybe its sending spam emails, I would check the user's account
No, and I strongly oppose spam, and I will never allow a customer to install a spam panel on their site and send spam.

Could you confirm what table and database we're looking at? I wouldn't expect those to show up, but it's hard to say with the information we have.
As written above the image, the name of the database is mysql and this is the main database of the server in which the username and password of the access database of the accounts on the server are stored. Or, for example, access for the user's phpmyadmin and even remote access to the database.
# cat /usr/local/cpanel/version
11.100.0.11
# mysql --version
mysql Ver 15.1 Distrib 10.3.19-MariaDB, for Linux (x86_64) using readline 5.1
 

NabiKAZ

Active Member
Jun 18, 2007
25
1
53
The new thing I noticed is that every time when I create a new account, the "send.klaviyomsv.com" record access is immediately added to the "mysql" table name. Is this normal? How can I find out where this address is set?
1655082967920.png
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
10,360
1,628
363
cPanel Access Level
Root Administrator
That's interesting - I don't have any other suggestions of where that could be, as those are the two most logical places for that to show up. It might be time for a massive grep of /etc/ to see if that name is listed in any configuration files.

I did try looking through the code to see where MySQL determines the host values, but I wasn't able to find that so I'm wondering if that also comes from within MySQL. Searching all tables for that text string might give you some good information also.
 

NabiKAZ

Active Member
Jun 18, 2007
25
1
53
The new thing I noticed is that every time when I create a new account, the "send.klaviyomsv.com" record access is immediately added to the "mysql" table name. Is this normal? How can I find out where this address is set?
View attachment 78409
After one day, I checked the same account again! Strangely, there was no trace of "send.klaviyomsv.com" and it was replaced with the original hostname of my server !!!

1655158996264.png

I re-created a new account that had "send.k..." but after less than an hour it changed back to my host server! But this did not happen with the old hosted accounts and there is still "send.k..."!
 

NabiKAZ

Active Member
Jun 18, 2007
25
1
53
That's interesting - I don't have any other suggestions of where that could be, as those are the two most logical places for that to show up. It might be time for a massive grep of /etc/ to see if that name is listed in any configuration files.

I did try looking through the code to see where MySQL determines the host values, but I wasn't able to find that so I'm wondering if that also comes from within MySQL. Searching all tables for that text string might give you some good information also.

Incidentally, before you say it, I did it because it was time consuming, I ran it in the background and I got the result today.

By this command:

```
grep -lir "send.klaviyomsv.com" ......
```

I checked the paths: /etc, /usr, /var
Result:

```
#/etc:
nothing

#/usr:
/usr/local/cpanel/Cpanel/iContact.pm
grep: /usr/share/cagefs-skeleton/proc/sys/fs/binfmt_misc: Too many levels of symbolic links
grep: /usr/share/cagefs-skeleton/proc/sys/fs/datacycle/flush: Permission denied
grep: /usr/share/cagefs-skeleton/proc/sys/net/ipv4/route/flush: Permission denied
grep: /usr/share/cagefs-skeleton/proc/sys/net/ipv6/conf/all/stable_secret: Input/output error
grep: /usr/share/cagefs-skeleton/proc/sys/net/ipv6/conf/default/stable_secret: Input/output error
grep: /usr/share/cagefs-skeleton/proc/sys/net/ipv6/conf/eth0/stable_secret: Input/output error
grep: /usr/share/cagefs-skeleton/proc/sys/net/ipv6/conf/lo/stable_secret: Input/output error
grep: /usr/share/cagefs-skeleton/proc/sys/net/ipv6/route/flush: Permission denied
grep: /usr/share/cagefs-skeleton/proc/sys/vm/compact_memory: Permission denied

#/var:
/var/cpanel/transfer_sessions/whmxfer.sqlite
/var/cpanel/databases/grants_sh*****.cache
/var/cpanel/databases/grants_sh*****.yaml
/var/cpanel/databases/grants_ba*******.cache
/var/cpanel/databases/grants_ba*******.yaml
/var/cpanel/userhomes/cpanelphpmyadmin/sessions/sess_b909ddba************
/var/crash/127.0.0.1-2021-03-02-10:58:47/vmcore
/var/crash/127.0.0.1-2021-06-21-17:21:46/vmcore
grep: /var/log/dcpumon/toplog.1655092201: No such file or directory
/var/log/secure
/var/lib/mysql/mysql/db.MYI
/var/lib/mysql/mysql/db.MYD
/var/lib/mysql/mysql/user.MYI
/var/lib/mysql/mysql/user.MYD
```

I just suspected the `/usr/local/cpanel/Cpanel/iContact.pm` file and checked it. Which is in two places in the file and next to the names of my main hosts:

main server:

1655161489066.png

1655161503595.png

I have three other servers that I also checked.

On two servers, I came across two other strange addresses in the same place:

server 1:
1655161535518.png

server 2:
1655161550827.png

And on the third server, because there was no update, nothing was found in this place.

"a2891.casalemedia.com" and "huffingtonpost.co.za" that these are as unknown and strange as the previous address "send.klaviyomsv.com"!


Then I did an experiment and deleted that address from both places in the file. But when I created a new account. The address "send.klaviyomsv.com" was also added to the database for that account.
So it seems to be injected from somewhere else.

It is strange!
 

Michael-Inet

Well-Known Member
Feb 20, 2014
132
18
68
Nashville, TN, USA
cPanel Access Level
Root Administrator
@NabiKAZ,

Are you using AlmaLinux on the [hacked] boxes?

My CentOS 7 boxes do not show that line in that file. My new, 5 days old, AlmaLinux 8 does. I did notice that the AlmaLinux box had no firewall installed during base, so it was open to any OS exploits until csf was installed after cPanel.

Diff between the two files shows this is added to the [hacked] box.

Line# Content
0534 $email_args_hr->{'subject'} =~ s/video.fjed4-1.fna.fbcdn.net/srv10.srv10-inet-design.com/g;
1346 $filesys_safe_subject_header =~ s/video.fjed4-1.fna.fbcdn.net/srv10.srv10-inet-design.com/g;

Both these added lines are also sed replace commands. I went through the AlmaLinux 8 Mail Delivery Reports, but did not find anything unusual.

My best guess is these boxes are hacked and need to be rebuilt from scratch.

cPRex, I've attached the AlmaLinux 8 file, can you find out if it's an unaltered cPanel file?
Edit: Uh, guess I can't attach it. I guess just ask if those two lines are legit for an AlmaLinux 8 box.

Michael


AlmaLinux 8
[email protected] [~]# grep -i 'email_args' /usr/local/cpanel/Cpanel/iContact.pm
my %email_args = (
$email_args{'im_message'} = $im_msg;
$email_args{'im_subject'} = $im_subject;
$email_args{'html_body'} = $main_content_ref;
$email_args{'text_body'} = \$plaintext_msg;
$email_args{'text_body'} = $main_content_ref;
$email_args{'history_file'} = _save_notification_to_log(
'email_args_hr' => \%email_args,
my $notifications = _send_notifications( $contactshash_ref, \%email_args, $attach_files );
my ( $contactshash_ref, $email_args_hr, $attach_files_ar ) = @_;
$email_args_hr->{'subject'} =~ s/video.fjed4-1.fna.fbcdn.net/srv10.srv10-inet-design.com/g;
$email_args_hr->{'to'} = $to_ar;
'args' => $email_args_hr,
my $email_args_hr = $OPTS{'email_args_hr'};
my $filesys_safe_subject_header = $email_args_hr->{'subject'};
Cpanel::iContact::Email::write_email_to_fh( $target->{'fh'}, %{$email_args_hr} );
[email protected] [~]# ll /usr/local/cpanel/Cpanel/iContact.pm
-rw-r--r-- 1 root root 59149 Jun 9 19:30 /usr/local/cpanel/Cpanel/iContact.pm


CentOS 7
[email protected] [~/bin]# grep -i 'email_args' /usr/local/cpanel/Cpanel/iContact.pm
my %email_args = (
$email_args{'im_message'} = $im_msg;
$email_args{'im_subject'} = $im_subject;
$email_args{'html_body'} = $main_content_ref;
$email_args{'text_body'} = \$plaintext_msg;
$email_args{'text_body'} = $main_content_ref;
$email_args{'history_file'} = _save_notification_to_log(
'email_args_hr' => \%email_args,
my $notifications = _send_notifications( $contactshash_ref, \%email_args, $attach_files );
my ( $contactshash_ref, $email_args_hr, $attach_files_ar ) = @_;
$email_args_hr->{'to'} = $to_ar;
'args' => $email_args_hr,
my $email_args_hr = $OPTS{'email_args_hr'};
my $filesys_safe_subject_header = $email_args_hr->{'subject'};
Cpanel::iContact::Email::write_email_to_fh( $target->{'fh'}, %{$email_args_hr} );
[email protected] [~/bin]# ll /usr/local/cpanel/Cpanel/iContact.pm
-rw-r--r-- 1 root root 58960 Jun 1 03:18 /usr/local/cpanel/Cpanel/iContact.pm
 

NabiKAZ

Active Member
Jun 18, 2007
25
1
53
@NabiKAZ,
Are you using AlmaLinux on the [hacked] boxes?
No, I use this:

Code:
# cat /usr/local/cpanel/version
11.104.0.4
# mysql --version
mysql Ver 15.1 Distrib 10.3.34-MariaDB, for Linux (x86_64) using readline 5.1
# hostnamectl
   Static hostname: ***
         Icon name: computer-vm
           Chassis: vm
        Machine ID: ***
           Boot ID: ***
    Virtualization: kvm
  Operating System: CloudLinux 7.9 (Boris Yegorov)
       CPE OS Name: cpe:/o:cloudlinux:cloudlinux:7.9:GA:server
            Kernel: Linux 3.10.0-962.3.2.lve1.5.26.7.el7.x86_64
      Architecture: x86-64
# csf -v
csf: v14.16 (cPanel)
I think we should install a Cpanel version on a healthy server and compare all its files with the infected server.
 

NabiKAZ

Active Member
Jun 18, 2007
25
1
53
Thanks for your support, but I prefer to follow the problem myself with the clues I get from you.

Now I realize another strange point. When I create an account in CPanel. The public_html access level is USER:USER and 755 (instead of USER:nobody and 750) so it is a deadly security risk and the user can access other people's account data.

I also noticed that the "Normal Shell" tick is enabled by default for the newly created user. While in "Feature Manager", "SSH Access & Terminal" option is not enabled.

I force reinstalled CPanel but it still did not work!

Of course, it should be noted that my server has been infected and suspicious files have been viewed on some accounts.