The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Suspicious process running under cpanel user

Discussion in 'Security' started by Escobar, Aug 25, 2015.

  1. Escobar

    Escobar Member

    Joined:
    Aug 11, 2012
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    So, I believe there is a compromised file somewhere on my server. I keep receiving the following emails.

    Code:
    Time:   Tue Aug 25 06:02:12 2015 +0100
    PID:     256047 (Parent PID:256047)
    Account: cpaneluser
    Uptime:  148 seconds
    [IMG]https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif[/IMG]
    
    
    
    
    Executable:
    
    /usr/bin/perl
    
    
    Command Line (often faked in exploits):
    
    init
    
    
    Network connections by the process (if any):
    
    tcp: 0.0.0.0:39331 -> 0.0.0.0:0
    
    
    Files open by the process (if any):
    
    /dev/null
    /dev/null
    /dev/null
    
    
    Memory maps by the process (if any):
    
    00400000-00402000 r-xp 00000000 fc:03 675265                             /usr/bin/perl
    00601000-00603000 rw-p 00001000 fc:03 675265                             /usr/bin/perl
    020dd000-024b9000 rw-p 00000000 00:00 0
    024b9000-024da000 rw-p 00000000 00:00 0
    024da000-024fb000 rw-p 00000000 00:00 0
    024fb000-0251c000 rw-p 00000000 00:00 0
    0251c000-02541000 rw-p 00000000 00:00 0
    02541000-02562000 rw-p 00000000 00:00 0
    02562000-02583000 rw-p 00000000 00:00 0
    02583000-025a4000 rw-p 00000000 00:00 0
    025a4000-025c5000 rw-p 00000000 00:00 0
    025c5000-025e6000 rw-p 00000000 00:00 0
    025e6000-02607000 rw-p 00000000 00:00 0
    02607000-02628000 rw-p 00000000 00:00 0
    02628000-02649000 rw-p 00000000 00:00 0
    02649000-0266a000 rw-p 00000000 00:00 0
    0266a000-0268b000 rw-p 00000000 00:00 0
    0268b000-026b9000 rw-p 00000000 00:00 0
    026b9000-026df000 rw-p 00000000 00:00 0
    026df000-02701000 rw-p 00000000 00:00 0
    02701000-02722000 rw-p 00000000 00:00 0
    02722000-02743000 rw-p 00000000 00:00 0
    02743000-02764000 rw-p 00000000 00:00 0
    02764000-02785000 rw-p 00000000 00:00 0
    02785000-027a6000 rw-p 00000000 00:00 0
    027a6000-027c7000 rw-p 00000000 00:00 0
    027c7000-027e9000 rw-p 00000000 00:00 0
    027e9000-0280a000 rw-p 00000000 00:00 0
    0280a000-0282b000 rw-p 00000000 00:00 0
    0282b000-0284c000 rw-p 00000000 00:00 0
    0284c000-0286d000 rw-p 00000000 00:00 0
    0286d000-0288e000 rw-p 00000000 00:00 0
    0288e000-028b0000 rw-p 00000000 00:00 0
    028b0000-028d2000 rw-p 00000000 00:00 0
    028d2000-028f3000 rw-p 00000000 00:00 0
    028f3000-02914000 rw-p 00000000 00:00 0
    02914000-02935000 rw-p 00000000 00:00 0
    02935000-02956000 rw-p 00000000 00:00 0
    02956000-02977000 rw-p 00000000 00:00 0
    02977000-02999000 rw-p 00000000 00:00 0
    02999000-029bb000 rw-p 00000000 00:00 0
    029bb000-029dc000 rw-p 00000000 00:00 0
    029dc000-029fd000 rw-p 00000000 00:00 0
    029fd000-02a1e000 rw-p 00000000 00:00 0
    02a1e000-02a3f000 rw-p 00000000 00:00 0
    3224a00000-3224a20000 r-xp 00000000 fc:03 1831433                        /lib64/ld-2.12.so
    3224c1f000-3224c20000 r--p 0001f000 fc:03 1831433                        /lib64/ld-2.12.so
    3224c20000-3224c21000 rw-p 00020000 fc:03 1831433                        /lib64/ld-2.12.so
    3224c21000-3224c22000 rw-p 00000000 00:00 0
    3224e00000-3224f8a000 r-xp 00000000 fc:03 1831456                        /lib64/libc-2.12.so
    3224f8a000-322518a000 ---p 0018a000 fc:03 1831456                        /lib64/libc-2.12.so
    322518a000-322518e000 r--p 0018a000 fc:03 1831456                        /lib64/libc-2.12.so
    322518e000-322518f000 rw-p 0018e000 fc:03 1831456                        /lib64/libc-2.12.so
    322518f000-3225194000 rw-p 00000000 00:00 0
    3225200000-3225217000 r-xp 00000000 fc:03 1831901                        /lib64/libpthread-2.12.so
    3225217000-3225417000 ---p 00017000 fc:03 1831901                        /lib64/libpthread-2.12.so
    3225417000-3225418000 r--p 00017000 fc:03 1831901                        /lib64/libpthread-2.12.so
    3225418000-3225419000 rw-p 00018000 fc:03 1831901                        /lib64/libpthread-2.12.so
    3225419000-322541d000 rw-p 00000000 00:00 0
    3225600000-3225602000 r-xp 00000000 fc:03 1831632                        /lib64/libdl-2.12.so
    3225602000-3225802000 ---p 00002000 fc:03 1831632                        /lib64/libdl-2.12.so
    3225802000-3225803000 r--p 00002000 fc:03 1831632                        /lib64/libdl-2.12.so
    3225803000-3225804000 rw-p 00003000 fc:03 1831632                        /lib64/libdl-2.12.so
    3225a00000-3225a02000 r-xp 00000000 fc:03 1831923                        /lib64/libutil-2.12.so
    3225a02000-3225c01000 ---p 00002000 fc:03 1831923                        /lib64/libutil-2.12.so
    3225c01000-3225c02000 r--p 00001000 fc:03 1831923                        /lib64/libutil-2.12.so
    3225c02000-3225c03000 rw-p 00002000 fc:03 1831923                        /lib64/libutil-2.12.so
    3225e00000-3225e83000 r-xp 00000000 fc:03 1831911                        /lib64/libm-2.12.so
    3225e83000-3226082000 ---p 00083000 fc:03 1831911                        /lib64/libm-2.12.so
    3226082000-3226083000 r--p 00082000 fc:03 1831911                        /lib64/libm-2.12.so
    3226083000-3226084000 rw-p 00083000 fc:03 1831911                        /lib64/libm-2.12.so
    3226200000-3226362000 r-xp 00000000 fc:03 2225876                        /usr/lib64/perl5/CORE/libperl.so
    3226362000-3226562000 ---p 00162000 fc:03 2225876                        /usr/lib64/perl5/CORE/libperl.so
    3226562000-322656b000 rw-p 00162000 fc:03 2225876                        /usr/lib64/perl5/CORE/libperl.so
    3227200000-3227216000 r-xp 00000000 fc:03 1831893                        /lib64/libresolv-2.12.so
    3227216000-3227416000 ---p 00016000 fc:03 1831893                        /lib64/libresolv-2.12.so
    3227416000-3227417000 r--p 00016000 fc:03 1831893                        /lib64/libresolv-2.12.so
    3227417000-3227418000 rw-p 00017000 fc:03 1831893                        /lib64/libresolv-2.12.so
    3227418000-322741a000 rw-p 00000000 00:00 0
    3227600000-3227616000 r-xp 00000000 fc:03 1834306                        /lib64/libnsl-2.12.so
    3227616000-3227815000 ---p 00016000 fc:03 1834306                        /lib64/libnsl-2.12.so
    3227815000-3227816000 r--p 00015000 fc:03 1834306                        /lib64/libnsl-2.12.so
    3227816000-3227817000 rw-p 00016000 fc:03 1834306                        /lib64/libnsl-2.12.so
    3227817000-3227819000 rw-p 00000000 00:00 0
    3228a00000-3228a07000 r-xp 00000000 fc:03 1831897                        /lib64/libcrypt-2.12.so
    3228a07000-3228c07000 ---p 00007000 fc:03 1831897                        /lib64/libcrypt-2.12.so
    3228c07000-3228c08000 r--p 00007000 fc:03 1831897                        /lib64/libcrypt-2.12.so
    3228c08000-3228c09000 rw-p 00008000 fc:03 1831897                        /lib64/libcrypt-2.12.so
    3228c09000-3228c37000 rw-p 00000000 00:00 0
    3229600000-3229602000 r-xp 00000000 fc:03 1831840                        /lib64/libfreebl3.so
    3229602000-3229801000 ---p 00002000 fc:03 1831840                        /lib64/libfreebl3.so
    3229801000-3229802000 r--p 00001000 fc:03 1831840                        /lib64/libfreebl3.so
    3229802000-3229803000 rw-p 00002000 fc:03 1831840                        /lib64/libfreebl3.so
    7f8b13bb0000-7f8b13bd1000 rw-p 00000000 00:00 0
    7f8b13bd1000-7f8b13bd6000 r-xp 00000000 fc:03 2227184                    /usr/lib64/perl5/auto/File/Glob/Glob.so
    7f8b13bd6000-7f8b13dd5000 ---p 00005000 fc:03 2227184                    /usr/lib64/perl5/auto/File/Glob/Glob.so
    7f8b13dd5000-7f8b13dd6000 rw-p 00004000 fc:03 2227184                    /usr/lib64/perl5/auto/File/Glob/Glob.so
    7f8b13dd6000-7f8b13df1000 r-xp 00000000 fc:03 2227221                    /usr/lib64/perl5/auto/POSIX/POSIX.so
    7f8b13df1000-7f8b13ff0000 ---p 0001b000 fc:03 2227221                    /usr/lib64/perl5/auto/POSIX/POSIX.so
    7f8b13ff0000-7f8b13ff3000 rw-p 0001a000 fc:03 2227221                    /usr/lib64/perl5/auto/POSIX/POSIX.so
    7f8b13ff3000-7f8b13ff6000 r-xp 00000000 fc:03 2227182                    /usr/lib64/perl5/auto/Fcntl/Fcntl.so
    7f8b13ff6000-7f8b141f6000 ---p 00003000 fc:03 2227182                    /usr/lib64/perl5/auto/Fcntl/Fcntl.so
    7f8b141f6000-7f8b141f7000 rw-p 00003000 fc:03 2227182                    /usr/lib64/perl5/auto/Fcntl/Fcntl.so
    7f8b141f7000-7f8b141fc000 r-xp 00000000 fc:03 2227402                    /usr/lib64/perl5/auto/Socket/Socket.so
    7f8b141fc000-7f8b143fb000 ---p 00005000 fc:03 2227402                    /usr/lib64/perl5/auto/Socket/Socket.so
    7f8b143fb000-7f8b143fd000 rw-p 00004000 fc:03 2227402                    /usr/lib64/perl5/auto/Socket/Socket.so
    7f8b143fd000-7f8b14401000 r-xp 00000000 fc:03 2227203                    /usr/lib64/perl5/auto/IO/IO.so
    7f8b14401000-7f8b14601000 ---p 00004000 fc:03 2227203                    /usr/lib64/perl5/auto/IO/IO.so
    7f8b14601000-7f8b14602000 rw-p 00004000 fc:03 2227203                    /usr/lib64/perl5/auto/IO/IO.so
    7f8b14602000-7f8b14608000 rw-p 00000000 00:00 0
    7f8b14613000-7f8b14614000 rw-p 00000000 00:00 0
    7fff49250000-7fff49265000 rw-p 00000000 00:00 0                          [stack]
    7fff49316000-7fff49318000 r-xp 00000000 00:00 0                          [vdso]
    ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
    
    The user's directory has a Wordpress install, I scanned the files and found no detections, I checked for injections too etc. Even re-installed Wordpress using a fresh download but no change with the emails.

    When I run a ps faux check, the following script appears.

    Code:
    root@761967 [~]# top | grep -i indian
     256863 indiansp  20   0 45244 7400  816 S  2.0  0.2   0:00.40 httpd.pl
     256863 indiansp  20   0 45244 7400  816 S  0.7  0.2   0:00.42 httpd.pl
    
    Code:
    root@761967 [~]# lsof -p 256863
    COMMAND     PID        USER   FD   TYPE  DEVICE SIZE/OFF    NODE NAME
    httpd.pl 256863 indianspice  cwd    DIR   252,3     4096  674533 /
    httpd.pl 256863 indianspice  rtd    DIR   252,3     4096  674533 /
    httpd.pl 256863 indianspice  txt    REG   252,3    13296  675265 /usr/bin/perl
    httpd.pl 256863 indianspice  mem    REG   252,3   157072 1831433 /lib64/ld-2.12.so
    httpd.pl 256863 indianspice  mem    REG   252,3  1926800 1831456 /lib64/libc-2.12.so
    httpd.pl 256863 indianspice  mem    REG   252,3   145896 1831901 /lib64/libpthread-2.12.so
    httpd.pl 256863 indianspice  mem    REG   252,3    22536 1831632 /lib64/libdl-2.12.so
    httpd.pl 256863 indianspice  mem    REG   252,3    17520 1831923 /lib64/libutil-2.12.so
    httpd.pl 256863 indianspice  mem    REG   252,3   599392 1831911 /lib64/libm-2.12.so
    httpd.pl 256863 indianspice  mem    REG   252,3  1488544 2225876 /usr/lib64/perl5/CORE/libperl.so
    httpd.pl 256863 indianspice  mem    REG   252,3   113952 1831893 /lib64/libresolv-2.12.so
    httpd.pl 256863 indianspice  mem    REG   252,3   116368 1834306 /lib64/libnsl-2.12.so
    httpd.pl 256863 indianspice  mem    REG   252,3    43392 1831897 /lib64/libcrypt-2.12.so
    httpd.pl 256863 indianspice  mem    REG   252,3    12776 1831840 /lib64/libfreebl3.so
    httpd.pl 256863 indianspice  mem    REG   252,3    21056 2227184 /usr/lib64/perl5/auto/File/Glob/Glob.so
    httpd.pl 256863 indianspice  mem    REG   252,3   120008 2227221 /usr/lib64/perl5/auto/POSIX/POSIX.so
    httpd.pl 256863 indianspice  mem    REG   252,3    17976 2227182 /usr/lib64/perl5/auto/Fcntl/Fcntl.so
    httpd.pl 256863 indianspice  mem    REG   252,3    25624 2227402 /usr/lib64/perl5/auto/Socket/Socket.so
    httpd.pl 256863 indianspice  mem    REG   252,3    19336 2227203 /usr/lib64/perl5/auto/IO/IO.so
    httpd.pl 256863 indianspice    0r   CHR     1,3      0t0 1308637 /dev/null
    httpd.pl 256863 indianspice    1w   CHR     1,3      0t0 1308637 /dev/null
    httpd.pl 256863 indianspice    2w   CHR     1,3      0t0 1308637 /dev/null
    httpd.pl 256863 indianspice    3u  IPv4 1538965      0t0     TCP *:39331 (LISTEN)
    
     
  2. Escobar

    Escobar Member

    Joined:
    Aug 11, 2012
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    More information on the process httpd.pl
    Code:
    OKroot@761967 [/]# lsof -p 316195 | grep cwd
    httpd.pl 316195 indianspice  cwd    DIR   252,3     4096  674533 /
    root@761967 [/]# readlink -e /proc/316195/cwd/
    /
    
     
  3. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
  4. Escobar

    Escobar Member

    Joined:
    Aug 11, 2012
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Yes, I've performed those scans but nothing on maldet. ClamAV throws false positives. Ran a chkrootkit scan too and all seems fine. I'm not sure where to proceed from here.
     
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Either hire a professional to analyse / clean the site, or rebuild it from scratch. Not much else to do unfortunately.
     
  6. Escobar

    Escobar Member

    Joined:
    Aug 11, 2012
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I already re-installed the Wordpress installs. I don't see how "rebuilding" a site will clean a server if the server is infected, which is what I am assuming.
     
  7. Escobar

    Escobar Member

    Joined:
    Aug 11, 2012
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Found the problem. It looks like one of the websites got hacked and they uploaded a backdoor. It was a cron job that calls a tmp file.
    Code:
    
    root@761967 [/]# crontab -u indianspice -l
    SHELL="/usr/local/cpanel/bin/jailshell"
    */15 * * * * /var/tmp/ZVuRYtRXB >/dev/null 2>&1
    
     
  8. Escobar

    Escobar Member

    Joined:
    Aug 11, 2012
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hmm, disregard. I deleted the cronjob but the process still reappears.
     
  9. Escobar

    Escobar Member

    Joined:
    Aug 11, 2012
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Actually I was right before, I found the tmp file under the .cagefs directory though.
     
  10. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    It is often you can find crons left behind even after re-installing a site. I did miss the part of your original post where you stated that you had re-installed. Glad you were able to find the malicious cron; obviously if you did not already, you should change the cPanel password as well.
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I'm happy to see you were able to determine the source of the issue. Thank you for updating us with the outcome.
     
Loading...

Share This Page