How to find out from where an exploit is running

(No Ratings Yet)

Loading ...

Posted by yolau

If you are running a cPanel server for shared hosting the chances are that you already had a problem or two with compromised scripts that are running from a user home directory and that are hacking others servers or sending spam.

I will try to tell you a few tricks over a series of tutorials on how to detect such scripts and how to protect your self in the future.

First let’s see how we can detect them. On a normal cPanel server there are many processes running but most of them run under dedicated users (such as cpanel, exim, etc.). You have to worry only about processes running under the user “nobody”. Now unfortunately Apache is also running under the user nobody but we will ignore those processes.

So what to do to see what processes are running under the user nobody? Simple, just type:

ps aux | grep nobody

This should output a few apache processes but NOTING else (on a cPanel powered server). If you are seeing any other processes that look suspect that it’s time you investigate.

How to do this? Simple again, let’s trace where that process is running from. Look at the second column in from of the suspect process. You should see there the process id. Let’s suppose that this is 12345.

Now let’s see some information about this process from /proc. For this go ahead and do:

ls -la /proc/12345

You should now see some information about that process and most import that cwd (current working directory) . This is the place where that process runs from !

The output will look similar to:

root@server [/]# ls -la /proc/12345
total 0
dr-xr-xr-x 3 root root 0 Mar 18 09:28 ./
dr-xr-xr-x 311 root root 0 Mar 15 03:26 ../
dr-xr-xr-x 2 root root 0 Mar 18 23:23 attr/
-r——– 1 root root 0 Mar 18 23:23 auxv
-r–r–r– 1 root root 0 Mar 18 23:09 cmdline
lrwxrwxrwx 1 root root 0 Mar 18 23:23 cwd -> /root/
-r——– 1 root root 0 Mar 18 23:23 environ
lrwxrwxrwx 1 root root 0 Mar 18 23:00 exe -> /usr/bin/perl*
dr-x—— 2 root root 0 Mar 18 09:30 fd/
-rw-r–r– 1 root root 0 Mar 18 23:23 loginuid
-r–r–r– 1 root root 0 Mar 18 23:23 maps
-rw——- 1 root root 0 Mar 18 23:23 mem
-r–r–r– 1 root root 0 Mar 18 23:23 mounts
-r——– 1 root root 0 Mar 18 23:23 mountstats
lrwxrwxrwx 1 root root 0 Mar 18 23:23 root -> //
-r——– 1 root root 0 Mar 18 23:23 smaps
-r–r–r– 1 root root 0 Mar 18 23:07 stat
-r–r–r– 1 root root 0 Mar 18 23:00 statm
-r–r–r– 1 root root 0 Mar 18 23:09 status
dr-xr-xr-x 3 root root 0 Mar 18 23:23 task/
-r–r–r– 1 root root 0 Mar 18 23:23 wchan

If you now have the information you need you can now delete that file(s) and don’t forget the terminate that process.

Something like this should work: