About SYN Connection

Joined
Apr 25, 2018
Messages
7
Best answers
0
Ratings
1
Points
3
#1
Hello!

I found some strange processes in my server under some users. The server is using cPanel and Clamav + Malware Detect. Here is what I found.
Code:
    PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND                                                                         
 595716 XXX  20   0  143780   5268   1148 S   0,8  0,0   8:45.96 exim                                                                           
1288578 XXX  20   0  143780   5268   1144 S   0,8  0,0   6:26.24 postfix                                                                         
2803667 XXX  20   0  143792   5360   1224 S   0,8  0,0   1:58.88 exim                                                                           
 595715 XXX  20   0  143780   5268   1148 S   0,0  0,0   8:45.83 exim                                                                           
 617767 XXX  20   0  143780   5264   1148 S   0,0  0,0   8:44.26 postfix                                                                         
 617768 XXX  20   0  143792   5300   1176 S   0,0  0,0   8:42.33 postfix                                                                         
1288570 XXX  20   0  143780   5268   1144 S   0,0  0,0   6:26.34 postfix                                                                         
2781314 XXX  20   0  143780   5320   1196 S   0,0  0,0   2:02.95 sendmail                                                                       
2781315 XXX  20   0  143792   5356   1224 S   0,0  0,0   2:02.85 sendmail                                                                       
2803666 XXX  20   0  143968   5316   1196 S   0,0  0,0   1:59.02 exim
I tried to run lsof -p PID to find what file opened by the process (I thought it would be a malware or something). It seems like the process is exectuted from /usr/bin/perl, which I don't understand :
Code:
COMMAND     PID     USER   FD   TYPE    DEVICE  SIZE/OFF    NODE NAME
postfix 1288578 XXX  cwd    DIR     253,0      4096 3295856 /
postfix 1288578 XXX  rtd    DIR     253,0      4096 3295856 /
postfix 1288578 XXX  txt    REG     253,0     11408 3312043 /usr/bin/perl
postfix 1288578 XXX  mem    REG     253,0     86888 4194377 /usr/lib64/perl5/auto/POSIX/POSIX.so
postfix 1288578 XXX  mem    REG     253,0     19520 4194342 /usr/lib64/perl5/auto/Fcntl/Fcntl.so
postfix 1288578 XXX  mem    REG     253,0           4489097 /usr/local/lib64/perl5/auto/Socket/Socket.so (path inode=26488125)
postfix 1288578 XXX  mem    REG     253,0     19808 4194359 /usr/lib64/perl5/auto/IO/IO.so
postfix 1288578 XXX  mem    REG     253,0 106070960 3553880 /usr/lib/locale/locale-archive
postfix 1288578 XXX  mem    REG     253,0     11384 3303184 /lib64/libfreebl3.so
postfix 1288578 XXX  mem    REG     253,0   2127336 3279802 /lib64/libc-2.17.so
postfix 1288578 XXX  mem    REG     253,0    144792 3277399 /lib64/libpthread-2.17.so
postfix 1288578 XXX  mem    REG     253,0     14872 3287679 /lib64/libutil-2.17.so
postfix 1288578 XXX  mem    REG     253,0     41080 3287651 /lib64/libcrypt-2.17.so
postfix 1288578 XXX  mem    REG     253,0   1139680 3287655 /lib64/libm-2.17.so
postfix 1288578 XXX  mem    REG     253,0     19776 3287653 /lib64/libdl-2.17.so
postfix 1288578 XXX  mem    REG     253,0    113600 3287657 /lib64/libnsl-2.17.so
postfix 1288578 XXX  mem    REG     253,0    111096 3287673 /lib64/libresolv-2.17.so
postfix 1288578 XXX  mem    REG     253,0   1647272 4065914 /usr/lib64/perl5/CORE/libperl.so
postfix 1288578 XXX  mem    REG     253,0    164608 3287602 /lib64/ld-2.17.so
postfix 1288578 XXX    0r   CHR       1,3       0t0 3312383 /dev/null
postfix 1288578 XXX    1w   CHR       1,3       0t0 3312383 /dev/null
postfix 1288578 XXX    2w   CHR       1,3       0t0 3312383 /dev/null
postfix 1288578 XXX    3u  IPv4 623163606       0t0     TCP my.server.hostname.com:50172->77.72.83.84 (SYN_SENT)
I think process under this user is trying to connect to other server (SYN_SENT). But CSF is installed, so the connection cannot be established, only SYN_SENT.
I tried Clamav and Malware Detect to find what file or malware that causes this problem.
The name of the processes is sometimes changed. Previously the process name was mdxfs, xargsu, perxg. But now it called sendmail, exim, and postfix.
Does anyone have experience with this? How to stop and prevent this?
 

KnownHost-DanielP

Well-known member
Joined
Mar 1, 2018
Messages
121
Best answers
2
Ratings
27 3
Points
28
#2
In a nut shell these are perl based services executed by the account. These would be 100% malicious.

Using lsof was the right way to try and track them down, but often times what they will do is start with a POST request to an exploited / exploitable script, send the perl scripts payload with it into memory and execute it from there. So the actual exploit that is running is just in memory and not a physical file.

My advice would be to look at when these were executed, so run ps aufx to get the 'start' time. Then grep the domlogs for that user for POST requests. You're likely going to find quite a few odd/malformed posts and/or posts to scripts that shouldn't be there.

Once you locate the script/plugin/location you can then begin hunting to find out what's being used to fire this off.

My guess is either out of date WordPress/Joomla or exploited Drupal at this point.
 
Joined
Apr 25, 2018
Messages
7
Best answers
0
Ratings
1
Points
3
#3
Hello,

Thank you so much for the explanation. By using your advice, I was able to track down the malicious file. It looks like an encoded script (base_64). After reading some references, I think by using Clamav or Malware Detect and add extra signature will be enough. Do you have other advice sir?

Thank you.
 

KnownHost-DanielP

Well-known member
Joined
Mar 1, 2018
Messages
121
Best answers
2
Ratings
27 3
Points
28
#4
Manually tracking back the upload is best, look at the time stamp and keep referencing your domlogs for more posts.
Maldet I've found works the best, ClamAV is good for windows garbage in emails but hardly picks up back doors and shells. I'd go through the site, look for any odd files, files with base64 encoded strings and compare them to default files. Past that change all the passwords and update any php, plugins etc and you autta be good to go.
 
Older Threads
Replies
0
Views
132
Replies
1
Views
137
Replies
6
Views
534
Replies
14
Views
414
Replies
8
Views
396
Latest Threads
  • Deleted
  • Deleted by Localnode
  • Reason: Wrong section
Replies
0
Views
4
  • Deleted
  • Deleted by fwh
Replies
0
Views
1
Replies
16
Views
105

Latest Hosting OffersNew Reviews

Sponsors

Latest Blog ArticlesMost Viewed Threads

Tag Cloud

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Top