1

Our server is compromised and we would like to know which accounts sent the malicious queries from our server. I used tcpdump to get this :

 our.host.net.48194 > box5596.bluehost.com.http: Flags [P.], cksum 0x0bf8 (incorrect -> 0x5061), seq 0:741, ack 1, win 229, options [nop,nop,TS val 260555861 ecr 3817788688], length 741: HTTP, length: 741
    POST /xmlrpc.php HTTP/1.1
    Host: www.devynamaya.com
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
    Content-Length: 484
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip
    Connection: close
    
    <?xml version="1.0"?><methodCall><methodName>system.multicall</methodName><params><param><value><array><data><value><struct><member><name>methodName</name><value><string>wp.getUsersBlogs</string></value></member><member><name>params</name><value><array><data><value><array><data><value><string>admin</string></value><value><string>password123</string></value></data></array></value></data></array></value></member></struct></value></data></array></value></param></params></methodCall>[!http]

On the other hand I installed different other tools like clamav, chrootkit , rkhunter ...etc. And for the tcpdump packets, I use wireshark.

The problem is that I can't seem to find the user that sent that packet, so that I can suspend their cpanel account.

Are there any tools that help track the account that is compromised? we have hundereds of users on this server and it is like looking for a needle in a haystack.

Analysing packets would just be useless if I can't know which client has a compromised website.

Thanks !

SmootQ
  • 113
  • 4
  • 3
    If you have a compromised system you should reinstall it. Maybe you can use `iptables` to do the logging https://serverfault.com/q/627824/187998 – NiKiZe Aug 21 '21 at 14:51
  • 5
    Does this answer your question? [How do I deal with a compromised server?](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – djdomi Aug 21 '21 at 16:29
  • @djdomi , I don't know if it answers my question or not, but I will check it out and see what is suggested in the answers. Thank you so much for the reference , Best ! – SmootQ Aug 21 '21 at 16:48
  • @NiKiZe we are already considering to migrate the accounts to another server, but we should try to solve the issue with this server first before doing that.. There is also another problem, even if we migrate accounts, some of them will still be infected, so we have to be careful. – SmootQ Aug 21 '21 at 16:50

1 Answers1

2

Most compromised accounts/servers tend to have malware inside them, which sends our malicious queries, email spam thanks to infected files, etc. Analysing packets would be kind of hard and useless at this point.

What you can do is scan the users document root directories with Maldet

I've used maldet before, it's a great tool with it's own signature database, which is using clamav as an engine, when clamav is installed and available.

Alex
  • 266
  • 1
  • 5
  • Thank you so much for your great answer , I heard about maldet and did not try it yet. I will check it out for sure. Thanks ! – SmootQ Aug 21 '21 at 16:47