We can use the following command to check the processes that may be using bash shells. When you get a server that seems to be hacked run the below script to check for suspicious porcesses. This will give the path to the scripts that are running curently. This command will give us the currnet working directory of all the process and it will be stored to the file /root/cwd. We can check thsi file for any suspicious process run from the user home directory. Eg given below.
root@navigator [/]# for i in `ps ax | awk {'print $1'} | grep -v PID`; do lsof -p $i | grep cwd; done > /root/cwd
root@navigator [/]# grep home /root/cwd | grep -v mail
bash 1038 root cwd DIR 8,8 4096 15270308 /home/bpcin/public_html
bash 7398 root cwd DIR 8,8 4096 7930070 /home/logger/public_html
crond 21970 madolphi cwd DIR 8,8 4096 95551493 /home/madolphi
php 21973 madolphi cwd DIR 8,8 4096 95551493 /home/madolphi
mysqld 22751 mysql cwd DIR 8,8 69632 78479361 /home/mysql
bash 24774 root cwd DIR 8,8 4096 41418821 /home/bytesil/public_html/images
crond 27996 madolphi cwd DIR 8,8 4096 95551493 /home/madolphi
php 28012 madolphi cwd DIR 8,8 4096 95551493 /home/madolphi
This will also contain the pop process for a mailbox.
eg:
pop3d 4789 morpheww cwd DIR 8,8 4096 8454332 /home/morpheww/mail/morpheusworldwide.com/operations
We can ignore this, so I used "grep -v mail". But you should check the all lines inside the file /root/cwd for a detailed check. If any malicious process is there with name mail, it will be skipped in the above command.
Let me explain some proceeses you see in this output. The processes running below are related to the cronjob of the user madolphi. You can see these processes are using the php and crond binaries. These are not dangerous.
crond 21970 madolphi cwd DIR 8,8 4096 95551493 /home/madolphi
php 21973 madolphi cwd DIR 8,8 4096 95551493 /home/madolphi
root@navigator [/home/bpcin/www]# crontab -lu madolphi
MAILTO="madolphi"
*/15 * * * * /usr/local/bin/php -q /home/madolphi/public_html/followunfollowscript.php
bash 1038 root cwd DIR 8,8 4096 15270308 /home/bpcin/public_html
The above line means a user with root permission has been ssh'ed into the server and is standng in the path /home/bpcin/public_html This could be you itslef.To make sure of this you can run the followng command.
ps aux | grep PID
Suspicious processes finding:
##################################################################
See this entry in the file /root/cwd
php 14362 homerec cwd DIR 8,8 4096 25101348 /home/homerec/public_html/my
root@navigator [/] cd /home/homerec/public_html/my/
root@navigator [/home/homerec/public_html/my]# ps ax | grep homerec
6555 pts/5 R+ 0:00 grep homerec
14362 ? S 0:02 /usr/bin/php /home/homerec/public_html/my/cp3.php
16559 ? S 0:02 /usr/bin/php /home/homerec/public_html/my/cp3.php
23391 ? S 0:02 /usr/bin/php /home/homerec/public_html/my/cp3.php
root@navigator [/home/homerec/public_html/my]# cat /home/homerec/public_html/my/php.ini
safe_mode = OFF
disable_functions = NONE
---> /home/homerec/public_html uses wordpress. php.ini is used to make the safe_mode Off.
root@navigator [/home/homerec/public_html/my]# head /home/homerec/public_html/my/cp3.php
/*||||||||||||||||||||||||||||||||||||||||||||*/
# Coded By Crazy_Hacker |
# Script: Cpanel + FTP Cracker |
# Site: www.0day.com |
# Forums: http://forums.0day.com/index.php |
/*|||||||||||||||||||||||||||||||||||||||||||*/
root@navigator [/home/homerec/public_html/my]# ll | grep php
-rw-r--r-- 1 homerec homerec 13063 May 6 10:47 cp3.php
-rw-r--r-- 1 homerec homerec 73 May 6 10:46 php.ini
-rw-r--r-- 1 homerec homerec 90553 May 6 10:47 phxdomain.php
##################################################################
##################################################################
Another entry:
bash 24774 root cwd DIR 8,8 4096 74842180 /home/amish/public_html
root@navigator [/home/amish/public_html]# lsof -p 24774
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
bash 24774 root cwd DIR 8,8 4096 15305065
/home/uberscap/public_html/cache/high/wunderbar_emporium
bash 24774 root rtd DIR 8,6 4096 2 /
bash 24774 root txt REG 8,6 801512 880457 /bin/bash
##################################################################
##################################################################
bash 24774 root cwd DIR 8,8 4096 41418821 /home/bytesil/public_html/images
root@navigator [/home/waitwhat]# head
/home/bytesil/public_html/images/new.php
GIF89a;
// ketek90@gmail.com
// no malware on this code, you can check it by yourself ;-)
##################################################################
No comments:
Post a Comment