Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

suspicious process: find history

Discussion in 'Security' started by magj, Dec 25, 2017.

  1. magj

    magj Active Member

    Joined:
    Dec 20, 2013
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Germany
    cPanel Access Level:
    Root Administrator
    Hi

    I have many suspicious processes (like 5 or 4 simultaneously) with extreme i/o in my server, they start immediately upon killing,
    the processes are like these:
    find // -name .*history ( -links 2 -o -type l )

    Any help would be greatly appreciated.
    Best
     
  2. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    719
    Likes Received:
    245
    Trophy Points:
    93
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    I have no idea if there is any cPanel process that would invoke the find command - let alone look for a .*history string which presumably will return files like .bash_history.

    My paranoid half (neither of me admit to schizophrenia) would worry that a process was looking to gather information from the bash (or some other) history, or worse, to delete traces of nefarious shell operations.

    I would start by looking at the user that was running the command. If you have enabled any sort of shell access for your users, they may just be looking for something they did earlier. If however, this is invoked by root, I would be a lot more concerned.

    I would also review if your PHP has any of the exec functions enabled. They can be used by uploaded scripts (eg web shells) to gather data and execute commands.

    I can only refer you to the following docs :
    Tips to Make Your Server More Secure - cPanel Knowledge Base - cPanel Documentation
    Additional Security Software - cPanel Knowledge Base - cPanel Documentation

    Personally, I would be making every effort to find out what/who is making the calls (it may be something as innocent as a data-centre admin running some checks - but they probably should have informed you first !) and if it looks to be something malicious, take all steps to secure the server - which might be already too late and may necessitate migrating to a new clean server.

    See Why can't I clean a hacked machine - cPanel Knowledge Base - cPanel Documentation
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 rpvw, Dec 25, 2017
    Last edited: Dec 25, 2017
    cPanelMichael likes this.
  3. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,835
    Likes Received:
    85
    Trophy Points:
    78
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Can you give us a screenshot of the process that you are seeing. Are those binaries that are creating. I am asking this because there may be possibility of server being compromised at the core level..
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,277
    Likes Received:
    1,846
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @magj,

    Let us know if the previous posts help.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. magj

    magj Active Member

    Joined:
    Dec 20, 2013
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Germany
    cPanel Access Level:
    Root Administrator
    Thank you all and sorry for my late reply.

    I cannot completely rule out infection of the server but I have always treated as strict as possible in this server regarding security issues .
    I have cloudlinux

    I'm suspected in this process:
    Code:
    root      158925  158923  0 09:01 ?        00:00:00 /bin/sh /usr/src/chkrootkit-0.49/chkrootkit
    root      158927  158923  0 09:01 ?        00:00:00 /bin/mail -E -s CHROOTKIT Hourly Run
    root      160217  158925  0 09:01 ?        00:00:55 /bin/find // -name .*history -size 0
    root      209811  314097  0 09:22 ?        00:00:53 /bin/find // -name .*history ( -links 2 -o -type l )
    root      209814  622369  0 09:22 ?        00:00:53 /bin/find // -name .*history ( -links 2 -o -type l )
    root      209815  457564  0 09:22 ?        00:00:53 /bin/find // -name .*history ( -links 2 -o -type l )
    so this chkrootkit process may have started these?


    As requested you can see some screenshots.
    Best
     

    Attached Files:

  6. magj

    magj Active Member

    Joined:
    Dec 20, 2013
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Germany
    cPanel Access Level:
    Root Administrator
    I have renamed the folder and disabled the hourly cron and killed the process and it seems those processes are not starting again.
     
  7. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    719
    Likes Received:
    245
    Trophy Points:
    93
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    That would make sense:
    See The chkrootkit FAQ for more
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelMichael likes this.
  8. magj

    magj Active Member

    Joined:
    Dec 20, 2013
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Germany
    cPanel Access Level:
    Root Administrator
    Yes.
    Thanks anyway

    I have disabled and everything is back normal after some days.

    Best
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice