Re: server compromise (cPanel)

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: David Schwartz
Date:  
To: Main PLUG discussion list
Subject: Re: server compromise (cPanel)
When I sorted the whole month’s log, there’s a HUGE number of IPs involved … AWstats says 65 total in April vs. 1634 so far this month.

They replied later that they didn’t think it was FTP, except looking through the main log shows normal behavior until when that one FTP entry occurred. Then about an hour later is when all of those calls to /options.php started to happen.

From my AWstats, the average # of visits per day was <10 with < 2 KB of BW until the 15th. Then it surged to 100 - 533 visits with BW from 1.31 - 123.37 MB.

The majority of page accesses were in the USA (2659) and Germany (690).

My average number of visits per month is 150-200, but so far this month it has been > 2600, most of which happened since the 14th.

Is there anybody who studies this stuff that I could forward my logs and the files to?

-David Schwartz



> On May 25, 2018, at 3:38 PM, Eric Oyen <> wrote:
>
> well, taking a closer look at some of the entries…
> Definitely a word press look-alike. I also noted the MS IIS injection and there appears to be references to ads (all of which might be infected).
>
> btw, one additional thing that the hosting provider might want to look for: crypto mining processes. This is something new that has been cropping up in other places.
>
> and lastly, they will need to check out their router hardware to make sure it isn't infected (some news there as well over the last week).
>
> -eric
>
> On May 25, 2018, at 3:34 PM, Carruth, Rusty wrote:
>
>> Indeed, I tend to agree with Eric here.
>>
>> And I think I'd like to know who it is - don't remember if you ever dropped that info... :-) If its hostgator then I'll be on the phone to them also.
>>
>>
>> -----Original Message-----
>> From: PLUG-discuss [mailto:plug-discuss-bounces@lists.phxlinux.org] On Behalf Of Eric Oyen
>> Sent: Friday, May 25, 2018 3:30 PM
>> To: Main PLUG discussion list
>> Subject: Re: server compromise (cPanel)
>>
>> well,
>> to begin with, your hosting provider failed to patch something and tried to shift blame. It is their problem and they are required to solve it.
>>
>> btw, that looks like some bot activity and I am fairly certain that one of those items looks a lot like a torrent tracker.
>>
>> IS yours the only account on that machine? if not, how many other users might be affected by this?
>>
>> Now, as for mode of infiltration, assuming they didn't have your credentials, it is possible that an injection exploit was used.
>>
>> Now, this area is more my forte, but I am, by no means, a certified expert.
>>
>> Anyway, time to call them back and have a chat with their operations manager and inform them that they have been breached and should be doing something about it. If they continue blame shifting, it might be time to consider dropping them entirely. that's my 2 cents worth.
>>
>> -eric
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list -
>> To subscribe, unsubscribe, or to change your mail settings:
>> https://u2206659.ct.sendgrid.net/wf/click?upn=5DvWGaZUY8Sh5aRLWfQTKYiRLVzunonVk948p8WIzMe-2FXlJ9Cta8w8U9xoku9LrUSHNMJbSd3ZEwH-2BqnW2UHlA-3D-3D_6lpMB7VLnN-2Fj9-2FEErg8-2F-2BMBpb5QxlByTgv2M3fbWD9ebvC-2BWrN3h7jImK8EVWYBesyIoH1pXSM1GieWIqwOELa6lraalzuw6pctc62nUDs-2Bp7iJvgrQwGsyHWVzdyYfL-2BtKCVxEbH8T-2FlaNp5AzrEdHyyGLwJIKY81ZCyDh2zrN65D2b4KDcSi6QujEbq4f2BhR-2B5cfjTr5hU08NrX0MmcyaXdjtx1qjCdiFhPXh1Dk-3D
>> ---------------------------------------------------
>> PLUG-discuss mailing list -
>> To subscribe, unsubscribe, or to change your mail settings:
>> https://u2206659.ct.sendgrid.net/wf/click?upn=5DvWGaZUY8Sh5aRLWfQTKYiRLVzunonVk948p8WIzMe-2FXlJ9Cta8w8U9xoku9LrUSHNMJbSd3ZEwH-2BqnW2UHlA-3D-3D_6lpMB7VLnN-2Fj9-2FEErg8-2F-2BMBpb5QxlByTgv2M3fbWD9ebvC-2BWrN3h7jImK8EVWYBesyIoH1pXSM1GieWIqwOELV1xCvqxPdCrqDe9QAAmZOx3Q1AIxQ7soqPfBqc34w9e7kMaD36mBp1QqyaF0V7rcGkoR-2F656tb0yCnybW1RNdHE1vWHUXQvIPHIWXofJyoVdDgHaB9ajX-2B25FgLpOBUVuCpj4jA-2B4HsUCPWqYUVLb0-3D
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> https://u2206659.ct.sendgrid.net/wf/click?upn=5DvWGaZUY8Sh5aRLWfQTKYiRLVzunonVk948p8WIzMe-2FXlJ9Cta8w8U9xoku9LrUSHNMJbSd3ZEwH-2BqnW2UHlA-3D-3D_6lpMB7VLnN-2Fj9-2FEErg8-2F-2BMBpb5QxlByTgv2M3fbWD9ebvC-2BWrN3h7jImK8EVWYBesyIoH1pXSM1GieWIqwOELfKwWE9146YWldug6hibEyxejb3cfgdf6sRsWPb2DUfxTMcoud6AP2ruTUYnccV8NtX4R3Oq7-2B72Zoow5qVyJBn-2F0tl0Z8cvQ7tbrdyLY7EfplLeASFJXTEFne5c0z2sGpUyg3FzG-2Bvh1NnjYA90CGk-3D


---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss