About SYN Connection

R

roboticpuppies

New member
Registered
Joined
Apr 25, 2018
Messages
11
Points
3
Hello!

I found some strange processes in my server under some users. The server is using cPanel and Clamav + Malware Detect. Here is what I found.
Code: 
    PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND                                                                         
 595716 XXX  20   0  143780   5268   1148 S   0,8  0,0   8:45.96 exim                                                                           
1288578 XXX  20   0  143780   5268   1144 S   0,8  0,0   6:26.24 postfix                                                                         
2803667 XXX  20   0  143792   5360   1224 S   0,8  0,0   1:58.88 exim                                                                           
 595715 XXX  20   0  143780   5268   1148 S   0,0  0,0   8:45.83 exim                                                                           
 617767 XXX  20   0  143780   5264   1148 S   0,0  0,0   8:44.26 postfix                                                                         
 617768 XXX  20   0  143792   5300   1176 S   0,0  0,0   8:42.33 postfix                                                                         
1288570 XXX  20   0  143780   5268   1144 S   0,0  0,0   6:26.34 postfix                                                                         
2781314 XXX  20   0  143780   5320   1196 S   0,0  0,0   2:02.95 sendmail                                                                       
2781315 XXX  20   0  143792   5356   1224 S   0,0  0,0   2:02.85 sendmail                                                                       
2803666 XXX  20   0  143968   5316   1196 S   0,0  0,0   1:59.02 exim
I tried to run lsof -p PID to find what file opened by the process (I thought it would be a malware or something). It seems like the process is exectuted from /usr/bin/perl, which I don't understand :
Code: 
COMMAND     PID     USER   FD   TYPE    DEVICE  SIZE/OFF    NODE NAME
postfix 1288578 XXX  cwd    DIR     253,0      4096 3295856 /
postfix 1288578 XXX  rtd    DIR     253,0      4096 3295856 /
postfix 1288578 XXX  txt    REG     253,0     11408 3312043 /usr/bin/perl
postfix 1288578 XXX  mem    REG     253,0     86888 4194377 /usr/lib64/perl5/auto/POSIX/POSIX.so
postfix 1288578 XXX  mem    REG     253,0     19520 4194342 /usr/lib64/perl5/auto/Fcntl/Fcntl.so
postfix 1288578 XXX  mem    REG     253,0           4489097 /usr/local/lib64/perl5/auto/Socket/Socket.so (path inode=26488125)
postfix 1288578 XXX  mem    REG     253,0     19808 4194359 /usr/lib64/perl5/auto/IO/IO.so
postfix 1288578 XXX  mem    REG     253,0 106070960 3553880 /usr/lib/locale/locale-archive
postfix 1288578 XXX  mem    REG     253,0     11384 3303184 /lib64/libfreebl3.so
postfix 1288578 XXX  mem    REG     253,0   2127336 3279802 /lib64/libc-2.17.so
postfix 1288578 XXX  mem    REG     253,0    144792 3277399 /lib64/libpthread-2.17.so
postfix 1288578 XXX  mem    REG     253,0     14872 3287679 /lib64/libutil-2.17.so
postfix 1288578 XXX  mem    REG     253,0     41080 3287651 /lib64/libcrypt-2.17.so
postfix 1288578 XXX  mem    REG     253,0   1139680 3287655 /lib64/libm-2.17.so
postfix 1288578 XXX  mem    REG     253,0     19776 3287653 /lib64/libdl-2.17.so
postfix 1288578 XXX  mem    REG     253,0    113600 3287657 /lib64/libnsl-2.17.so
postfix 1288578 XXX  mem    REG     253,0    111096 3287673 /lib64/libresolv-2.17.so
postfix 1288578 XXX  mem    REG     253,0   1647272 4065914 /usr/lib64/perl5/CORE/libperl.so
postfix 1288578 XXX  mem    REG     253,0    164608 3287602 /lib64/ld-2.17.so
postfix 1288578 XXX    0r   CHR       1,3       0t0 3312383 /dev/null
postfix 1288578 XXX    1w   CHR       1,3       0t0 3312383 /dev/null
postfix 1288578 XXX    2w   CHR       1,3       0t0 3312383 /dev/null
postfix 1288578 XXX    3u  IPv4 623163606       0t0     TCP my.server.hostname.com:50172->77.72.83.84 (SYN_SENT)
I think process under this user is trying to connect to other server (SYN_SENT). But CSF is installed, so the connection cannot be established, only SYN_SENT.
I tried Clamav and Malware Detect to find what file or malware that causes this problem.
The name of the processes is sometimes changed. Previously the process name was mdxfs, xargsu, perxg. But now it called sendmail, exim, and postfix.
Does anyone have experience with this? How to stop and prevent this?
 
KnownHost-DanielP

KnownHost-DanielP

Well-known member
Hosting Provider
Registered
Joined
Mar 1, 2018
Messages
121
Points
28
In a nut shell these are perl based services executed by the account. These would be 100% malicious.

Using lsof was the right way to try and track them down, but often times what they will do is start with a POST request to an exploited / exploitable script, send the perl scripts payload with it into memory and execute it from there. So the actual exploit that is running is just in memory and not a physical file.

My advice would be to look at when these were executed, so run ps aufx to get the 'start' time. Then grep the domlogs for that user for POST requests. You're likely going to find quite a few odd/malformed posts and/or posts to scripts that shouldn't be there.

Once you locate the script/plugin/location you can then begin hunting to find out what's being used to fire this off.

My guess is either out of date WordPress/Joomla or exploited Drupal at this point.
 
R

roboticpuppies

New member
Registered
Joined
Apr 25, 2018
Messages
11
Points
3
Hello,

Thank you so much for the explanation. By using your advice, I was able to track down the malicious file. It looks like an encoded script (base_64). After reading some references, I think by using Clamav or Malware Detect and add extra signature will be enough. Do you have other advice sir?

Thank you.
 
KnownHost-DanielP

KnownHost-DanielP

Well-known member
Hosting Provider
Registered
Joined
Mar 1, 2018
Messages
121
Points
28
Manually tracking back the upload is best, look at the time stamp and keep referencing your domlogs for more posts.
Maldet I've found works the best, ClamAV is good for windows garbage in emails but hardly picks up back doors and shells. I'd go through the site, look for any odd files, files with base64 encoded strings and compare them to default files. Past that change all the passwords and update any php, plugins etc and you autta be good to go.
 
You must log in or register to reply here.
Older Threads
D
How to use Hitleap on VPS?
Replies
0
Views
1,602
Dunk92
TheGodfather
Block certain countries on Cloudflare
Replies
1
Views
2,335
AlbaHost
TheGodfather
How to add Piwik/Matomo to Cloudflare ?
Replies
6
Views
5,684
djsmiley2k
natzzzzz1
How to create a website?
Replies
14
Views
3,704
technbyte
TheGodfather
VPS with GPU?
Replies
8
Views
5,406
Gmeister4
Newer Threads
Dopani
Find and Replace text in all tables in a database using Mysql query?
Replies
9
Views
6,994
Dopani
DenisMNE
How to install windows on VPS ?
Replies
8
Views
4,272
RackService
Dopani
Which is better, a VPS with cPanel vs a VPS with ServerPilot vs a VPS with Centminmod?
Replies
8
Views
4,936
Dr. McKay
Dr. McKay
Knownhost vs Liquidweb: Which managed VPS provider is better?
Replies
1
Views
1,776
valvps
Dopani
Is Regular Expression enabled on Phpmyadmin?
Replies
0
Views
1,517
Dopani
Latest Threads
josephilip
Welcome to ServerMO: Excellence in Dedicated Server Hosting
Replies
0
Views
51
josephilip
cancan
Save an incredible 90% off! The Best HostPapa Deal so Far: Unlimited SSL, 50 GB NVMe, 24/7 support
Replies
0
Views
92
cancan
M
How to Choose the Best Web Hosting Provider for a New Website ??
Replies
1
Views
70
BlueLeaf
J
Jtti: What are some common misconceptions about firewall rules?
Replies
0
Views
184
jtti
Mvv758
Hello
Replies
1
Views
89
AlbaHost
Recommended Threads
sunshine5637
Getting started in Affiliate Marketing?
Replies
8
Views
4,114
iSixty
DenisMNE
504 gateway timeout Wordpress.How to fix ?
Replies
2
Views
2,203
DenisMNE
Malcolmjr96
What's the best way to learn coding/programming?
Replies
18
Views
5,119
Require
TheGodfather
Mailgun vs Sendgrid
Replies
0
Views
1,153
TheGodfather
macklong
Host A Email Server and send 1 Million Emails a Day | Private vLAN | ASN and BGP | Free rDNS
Replies
8
Views
5,934
macklong
Similar Threads
Mujkanovic
How to backup websites data on WHM/cPanel using Rsync
Replies
0
Views
1,456
Mujkanovic
john-mth
Sync and DDoS?
Replies
1
Views
1,592
HostBastic
BlaZeX
HOT 2Sync.co - Exotic Locations - Serbia, Panama, Japan, India, South Korea, Poland, Ukraine & more
Replies
0
Views
1,612
BlaZeX
BlaZeX
NEW 2Sync.co - (Asia) South Korea - Pure SSD - KVM - Double RAM Offer - Limited Stock
Replies
0
Views
1,689
BlaZeX
Mahfuz
HOT SYNC SERVE - AlphaSSL WildCard - $5.10
Replies
0
Views
2,185
Mahfuz

Latest postsNew threads

Latest Hosting OffersNew Reviews

Popular Contributors - Past 30 Days

Sponsors

Tag Cloud

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
  • cpanel
  • dedicated
  • free
  • hello
  • hosting
  • hosting services
  • marketing
  • offers
  • seo
  • server
  • services
  • vps
  • web
  • web hosting
  • website
  • wordpress
    • Top