Origin of a root access

[Adnan RIHAN]

Few days ago, I saw this in `bash_history` while looking for something else:

539 2021-05-17 03:54:07 yum update php-libpng
540 2021-05-17 09:18:05 yum install john
541 2021-05-17 09:18:35 yum install john-the-ripper
542 2021-05-17 09:18:46 sudo yum install epel-release
543 2021-05-17 09:18:56 sudo yum install snapd
544 2021-05-17 09:19:03 sudo systemctl enable --now snapd.socket
545 2021-05-17 09:19:09 sudo ln -s /var/lib/snapd/snap /snap
546 2021-05-17 09:19:14 sudo snap install john-the-ripper
547 2021-05-17 09:19:58 unshadow /etc/passwd /etc/shadow > mypasswd.txt
548 2021-05-17 09:20:05 john
549 2021-05-17 09:21:19 unshadow
550 2021-05-17 09:21:27 john unshadow
551 2021-05-17 09:21:47 /usr/sbin/unshadow
552 2021-05-17 09:22:43 ls
553 2021-05-17 09:22:50 cd /etc/john*
554 2021-05-17 17:01:30 ( chkconfig cxswatch on; sed -i "s/cxswatch:0 cxswatch:1/" /etc/chkserv.d/chkservd.conf; )

539 being MY last action on the server, connected as root by private key, and 554 being ConfigServer installing their stuff and making configurations.

[root@phoebe www]# who -a
démarrage système 2021-05-16 01:10
IDENTIFIANT tty1 2021-05-16 01:11 1934 id=tty1
niveau d'exécution 3 2021-05-16 01:11
root + pts/0 2021-05-19 11:12 . 2987011 (82.64.94.155)
pts/1 2021-05-18 23:09 2565543 id=/1 term=0 sortie=0
pts/2 2021-05-17 01:31 790573 id=/2 term=0 sortie=0
pts/1 2021-05-18 19:52 2356257 id=ts/1 term=0 sortie=0
pts/2 2021-05-17 17:08 1251035 id=ts/2 term=0 sortie=0
pts/3 2021-05-17 17:08 1251107 id=ts/3 term=0 sortie=0
pts/4 2021-05-17 17:01 1431009 id=/4 term=0 sortie=0

[root@phoebe www]# zgrep -h sshd /var/log/secure-20210516 /var/log/secure-20210517.gz | grep -F 'Accepted'
# Truncated
May 9 22:35:46 phoebe sshd[153013]: Accepted publickey for root from MY_HOME_IP
May 10 11:34:26 phoebe sshd[498230]: Accepted publickey for root from MY_HOME_IP
May 11 00:07:50 phoebe sshd[978883]: Accepted publickey for root from MY_HOME_IP
May 11 21:53:27 phoebe sshd[2032266]: Accepted publickey for root from MY_HOME_IP
May 11 22:42:17 phoebe sshd[2056997]: Accepted publickey for root from CPANEL_IP1
May 12 02:14:11 phoebe sshd[2165520]: Accepted publickey for root from CPANEL_IP1
May 12 03:19:42 phoebe sshd[2198215]: Accepted publickey for root from CPANEL_IP1
May 12 10:57:11 phoebe sshd[2445876]: Accepted publickey for root from MY_HOME_IP
May 12 11:56:08 phoebe sshd[2479979]: Accepted publickey for root from CPANEL_IP2
May 13 18:30:27 phoebe sshd[3903110]: Accepted publickey for root from MY_HOME_IP
May 14 17:25:36 phoebe sshd[694978]: Accepted publickey for root from MY_HOME_IP
May 14 22:46:44 phoebe sshd[891802]: Accepted publickey for root from MY_HOME_IP
May 15 09:34:00 phoebe sshd[1298613]: Accepted publickey for root from MY_HOME_IP
May 15 21:17:01 phoebe sshd[1692601]: Accepted publickey for root from MY_HOME_IP
May 16 00:45:29 phoebe sshd[1814485]: Accepted publickey for root from MY_HOME_IP
May 16 01:00:54 phoebe sshd[7536]: Accepted publickey for root from MY_HOME_IP
May 16 01:15:29 phoebe sshd[4596]: Accepted publickey for root from MY_HOME_IP
May 17 11:56:56 phoebe sshd[1112647]: Accepted publickey for root from MY_HOME_IP
May 17 16:35:06 phoebe sshd[1250904]: Accepted publickey for root from CONFIGSERVER
May 17 16:35:22 phoebe sshd[1251035]: Accepted publickey for root from CONFIGSERVER
May 17 16:35:26 phoebe sshd[1251107]: Accepted publickey for root from CONFIGSERVER

From where I'm standing, first the hacker couldn't get his hand on anything as he couldn't execute JTR, I changed passwords immediately but don't think it will prevent another attempt. But he seems to come out of nowhere! There is no SSH connection, there is no suspected IP nor public key, there is no sudo group in sudoers.

Can someone give me a hint on where to look for an entry point please?

 

[ffeingol]

Try:

last

 

[cPRex]

As @ffeingol said, the "last" command should give you output that looks like this:

root     pts/0        1.2.3.4     Mon May  3 10:25 - 06:06 (2+19:40)  
root     pts/0        1.2.3.4     Mon Apr 26 22:19 - 17:07 (1+18:47)  
reboot   system boot  3.10.0-1160.15.2 Mon Apr 26 22:18 - 10:34 (23+12:15)
root     pts/2        1.2.3.4     Fri Apr 23 16:10 - down  (3+06:06)  
root     pts/1        1.2.3.4    Fri Apr 23 16:02 - 18:16  (02:13)

Where "1.2.3.4" is the IP address of the user connecting to the server.

 

[cPRex]

Although, it's important to mention that no matter what, the machine is compromised and you should get moved to a new system as soon as you can.

 

[Adnan RIHAN]

@ffeingol @cPRex thanks for your replies, last didn't game me more than looking at secure logs.

Reinstalling is a must, but if the ghost access from nowhere comes from an unknown vulnerability or something we're installing, we might install it again and come back to square one

 

[cPRex]

While technically possible, if you use the Transfer Tool that is a secure method of moving the data between servers. If the compromised files were placed in a user account, then yes, those would also be moved.

If you aren't able to find more details it might be a good idea to work with a professional security administrator to do a thorough evaluation of the machine.

 

[Adnan RIHAN]

If you aren't able to find more details it might be a good idea to work with a professional security administrator to do a thorough evaluation of the machine.

Do you, at cPanel, provide contacts to partners providing these type of consulting or services?

 

[cPRex]

cPanel itself doesn't offer that type of service, but you can reach out to our admins that advertise their specialty with cPanel hosting here: System Administration Services