-3

I'm in need of a hand. We recently had a server compromise and manage to do a nice clean but I'm trying to get rid of the bug without moving server.

Can anybody review the running processes below and possibly point out anything deemed weird/unusual. The hacker did manage to obtain SSH access and changed many group permissions.

It's a simple website running WordPress. small traffic. Wordfence experts & others cannot determine some things. Thanks in advance

UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 Mar17 ?        00:00:02 /sbin/init
root         2     0  0 Mar17 ?        00:00:00 [kthreadd]
root         3     2  0 Mar17 ?        00:00:05 [migration/0]
root         4     2  0 Mar17 ?        00:00:05 [ksoftirqd/0]
root         5     2  0 Mar17 ?        00:00:00 [stopper/0]
root         6     2  0 Mar17 ?        00:00:01 [watchdog/0]
root         7     2  0 Mar17 ?        00:00:03 [migration/1]
root         8     2  0 Mar17 ?        00:00:00 [stopper/1]
root         9     2  0 Mar17 ?        00:00:03 [ksoftirqd/1]
root        10     2  0 Mar17 ?        00:00:00 [watchdog/1]
root        11     2  0 Mar17 ?        00:00:42 [events/0]
root        12     2  0 Mar17 ?        00:00:39 [events/1]
root        13     2  0 Mar17 ?        00:00:00 [events/0]
root        14     2  0 Mar17 ?        00:00:00 [events/1]
root        15     2  0 Mar17 ?        00:00:00 [events_long/0]
root        16     2  0 Mar17 ?        00:00:00 [events_long/1]
root        17     2  0 Mar17 ?        00:00:00 [events_power_ef]
root        18     2  0 Mar17 ?        00:00:00 [events_power_ef]
root        19     2  0 Mar17 ?        00:00:00 [cgroup]
root        20     2  0 Mar17 ?        00:00:00 [khelper]
root        21     2  0 Mar17 ?        00:00:00 [netns]
root        22     2  0 Mar17 ?        00:00:00 [async/mgr]
root        23     2  0 Mar17 ?        00:00:00 [pm]
root        24     2  0 Mar17 ?        00:00:01 [sync_supers]
root        25     2  0 Mar17 ?        00:00:02 [bdi-default]
root        26     2  0 Mar17 ?        00:00:00 [kintegrityd/0]
root        27     2  0 Mar17 ?        00:00:00 [kintegrityd/1]
root        28     2  0 Mar17 ?        00:01:03 [kblockd/0]
root        29     2  0 Mar17 ?        00:00:02 [kblockd/1]
root        30     2  0 Mar17 ?        00:00:00 [kacpid]
root        31     2  0 Mar17 ?        00:00:00 [kacpi_notify]
root        32     2  0 Mar17 ?        00:00:00 [kacpi_hotplug]
root        33     2  0 Mar17 ?        00:00:00 [ata_aux]
root        34     2  0 Mar17 ?        00:00:00 [ata_sff/0]
root        35     2  0 Mar17 ?        00:00:00 [ata_sff/1]
root        36     2  0 Mar17 ?        00:00:00 [ksuspend_usbd]
root        37     2  0 Mar17 ?        00:00:00 [khubd]
root        38     2  0 Mar17 ?        00:00:00 [kseriod]
root        39     2  0 Mar17 ?        00:00:00 [md/0]
root        40     2  0 Mar17 ?        00:00:00 [md/1]
root        41     2  0 Mar17 ?        00:00:00 [md_misc/0]
root        42     2  0 Mar17 ?        00:00:00 [md_misc/1]
root        43     2  0 Mar17 ?        00:00:00 [linkwatch]
root        44     2  0 Mar17 ?        00:00:00 [khungtaskd]
root        45     2  0 Mar17 ?        00:01:01 [kswapd0]
root        46     2  0 Mar17 ?        00:00:00 [ksmd]
root        47     2  0 Mar17 ?        00:00:01 [khugepaged]
root        48     2  0 Mar17 ?        00:00:00 [aio/0]
root        49     2  0 Mar17 ?        00:00:00 [aio/1]
root        50     2  0 Mar17 ?        00:00:00 [crypto/0]
root        51     2  0 Mar17 ?        00:00:00 [crypto/1]
root        58     2  0 Mar17 ?        00:00:00 [kthrotld/0]
root        59     2  0 Mar17 ?        00:00:00 [kthrotld/1]
root        61     2  0 Mar17 ?        00:00:00 [kpsmoused]
root        62     2  0 Mar17 ?        00:00:00 [usbhid_resumer]
root        63     2  0 Mar17 ?        00:00:00 [deferwq]
root       250     2  0 Mar17 ?        00:00:00 [scsi_eh_0]
root       254     2  0 Mar17 ?        00:00:00 [scsi_eh_1]
root       305  1419  0 Mar21 ?        00:00:00 sshd: root [priv]
sshd       306   305  0 Mar21 ?        00:00:00 sshd: root [net]
root       349     2  0 Mar17 ?        00:00:00 [virtio-blk]
root       379     2  0 Mar17 ?        00:01:37 [jbd2/vda1-8]
root       380     2  0 Mar17 ?        00:00:00 [ext4-dio-unwrit]
root       458     1  0 Mar17 ?        00:00:00 /sbin/udevd -d
root       563     2  0 Mar17 ?        00:00:00 [virtio-net]
root       586     2  0 Mar17 ?        00:00:00 [vballoon]
root       742     2  0 Mar17 ?        00:00:00 [kdmremove]
root       743     2  0 Mar17 ?        00:00:00 [kstriped]
root       769     2  0 Mar17 ?        00:01:08 [flush-253:0]
nobody     837 11478  0 14:29 ?        00:00:00 /usr/sbin/httpd -k start
root       992     2  0 Mar17 ?        00:00:01 [kauditd]
root      1047     2  0 Mar17 ?        00:00:13 [loop0]
root      1051     2  0 Mar17 ?        00:00:05 [kjournald]
root      1071  1419  0 Mar18 ?        00:00:00 sshd: unknown [priv]
sshd      1072  1071  0 Mar18 ?        00:00:00 sshd: unknown [net]
root      1230     1  0 Mar17 ?        00:00:01 auditd
root      1294     1  0 Mar17 ?        00:00:40 /sbin/rsyslogd -i /var/run/syslo
named     1317     1  0 Mar17 ?        00:00:02 /usr/sbin/named -u named
dbus      1335     1  0 Mar17 ?        00:00:00 dbus-daemon --system
root      1366     1  0 Mar17 ?        00:00:00 /usr/sbin/acpid
nscd      1385     1  0 Mar17 ?        00:00:31 /usr/sbin/nscd
root      1419     1  0 Mar17 ?        00:00:00 /usr/sbin/sshd
ntp       1430     1  0 Mar17 ?        00:00:01 ntpd -u ntp:ntp -p /var/run/ntpd
root      1449     1  0 Mar17 ?        00:00:00 /bin/sh /usr/bin/mysqld_safe --d
root      1632     1  0 00:00 ?        00:00:20 lfd - sleeping
root      1711     1  0 Mar17 ?        00:00:00 pure-ftpd (SERVER)
root      1713     1  0 Mar17 ?        00:00:00 /usr/sbin/pure-authd -s /var/run
root      1725     1  0 Mar17 ?        00:00:02 crond
root      1740     1  0 Mar17 ?        00:00:00 /usr/sbin/atd
root      1875     1  0 Mar17 tty1     00:00:00 /sbin/mingetty /dev/tty1
root      1877     1  0 Mar17 tty2     00:00:00 /sbin/mingetty /dev/tty2
root      1879     1  0 Mar17 tty3     00:00:00 /sbin/mingetty /dev/tty3
root      1881     1  0 Mar17 tty4     00:00:00 /sbin/mingetty /dev/tty4
root      1883     1  0 Mar17 tty5     00:00:00 /sbin/mingetty /dev/tty5
root      1885     1  0 Mar17 tty6     00:00:00 /sbin/mingetty /dev/tty6
root      1889   458  0 Mar17 ?        00:00:00 /sbin/udevd -d
root      1890   458  0 Mar17 ?        00:00:00 /sbin/udevd -d
nobody    2733 11478  0 14:45 ?        00:00:00 /usr/sbin/httpd -k start
nobody    2736 11478  0 14:45 ?        00:00:00 /usr/sbin/httpd -k start
nobody    2739 11478  0 14:45 ?        00:00:00 /usr/sbin/httpd -k start
nobody    3264 11478  0 14:50 ?        00:00:00 /usr/sbin/httpd -k start
503       3265 11478  0 14:50 ?        00:00:00 /usr/sbin/httpd -k start
nobody    3270 11478  0 14:50 ?        00:00:00 /usr/sbin/httpd -k start
nobody    3272 11478  0 14:50 ?        00:00:00 /usr/sbin/httpd -k start
nobody    3278 11478  0 14:50 ?        00:00:00 /usr/sbin/httpd -k start
503       3577 11566 23 14:54 ?        00:00:12 php-fpm: pool mysite
root      3596  1419  0 14:54 ?        00:00:00 sshd: root@pts/0
503       3600 11566 23 14:54 ?        00:00:06 php-fpm: pool mysite
503       3602 11566 23 14:54 ?        00:00:06 php-fpm: pool mysite
root      3619  3596  0 14:54 pts/0    00:00:00 -bash
root      3670  3619  0 14:54 pts/0    00:00:00 ps -ef
root      4331  1419  0 00:52 ?        00:00:00 sshd: unknown [priv]
sshd      4332  4331  0 00:52 ?        00:00:00 sshd: unknown [net]
root      4365  1419  0 00:53 ?        00:00:00 sshd: root [priv]
sshd      4367  4365  0 00:53 ?        00:00:00 sshd: root [net]
root      4758  1419  0 Mar19 ?        00:00:00 sshd: root [priv]
sshd      4760  4758  0 Mar19 ?        00:00:00 sshd: root [net]
mysql     5024  1449  3 Mar19 ?        02:24:33 /usr/sbin/mysqld --basedir=/usr
root      7284     2  0 02:05 ?        00:00:00 [flush-7:0]
root      8078  1419  0 Mar21 ?        00:00:00 sshd: unknown [priv]
sshd      8082  8078  0 Mar21 ?        00:00:00 sshd: unknown [net]
root      9047     1  0 Mar21 ?        00:00:00 /usr/sbin/dovecot
dovenull  9049  9047  0 Mar21 ?        00:00:00 dovecot/pop3-login
dovenull  9050  9047  0 Mar21 ?        00:00:00 dovecot/imap-login
dovecot   9051  9047  0 Mar21 ?        00:00:00 dovecot/anvil
root      9052  9047  0 Mar21 ?        00:00:00 dovecot/log
dovenull  9054  9047  0 Mar21 ?        00:00:00 dovecot/pop3-login
root      9055  9047  0 Mar21 ?        00:00:00 dovecot/config
dovenull  9056  9047  0 Mar21 ?        00:00:00 dovecot/imap-login
root      9431  1419  0 Mar21 ?        00:00:00 sshd: unknown [priv]
sshd      9432  9431  0 Mar21 ?        00:00:00 sshd: unknown [net]
root      9639     1  0 Mar21 ?        00:00:07 cpsrvd (SSL) - dormant mode - ac
root      9647     1  0 Mar21 ?        00:00:05 queueprocd - wait to process a t
root      9651     1  0 Mar21 ?        00:00:01 dnsadmin - dormant mode
root      9667     1  0 Mar21 ?        00:00:07 php-fpm: master process (/usr/lo
root      9676     1  0 Mar21 ?        00:00:14 cPhulkd - processor
root      9685     1  0 Mar21 ?        00:00:00 cpdavd - accepting connections o
root      9689     1  0 Mar21 ?        00:00:00 cpanellogd - sleeping for logs
root     11396     1  0 03:42 ?        00:00:01 tailwatchd
root     11443  1419  0 Mar21 ?        00:00:00 sshd: root [priv]
sshd     11444 11443  0 Mar21 ?        00:00:00 sshd: root [net]
root     11478     1  0 03:42 ?        00:00:02 /usr/sbin/httpd -k start
root     11566     1  0 03:42 ?        00:00:04 php-fpm: master process (/opt/cp
503      12423  9047  0 11:11 ?        00:00:00 dovecot/quota-status -p postfix
root     12782  1419  0 Mar18 ?        00:00:00 sshd: root [priv]
root     12783  1419  0 Mar18 ?        00:00:00 sshd: unknown [priv]
sshd     12784 12782  0 Mar18 ?        00:00:00 sshd: root [net]
sshd     12787 12783  0 Mar18 ?        00:00:00 sshd: unknown [net]
root     12800  1419  0 Mar20 ?        00:00:00 sshd: root [priv]
sshd     12801 12800  0 Mar20 ?        00:00:00 sshd: root [net]
mailman  12890     1  0 11:17 ?        00:00:00 /usr/bin/python /usr/local/cpane
mailman  12891 12890  0 11:17 ?        00:00:01 /usr/bin/python /usr/local/cpane
mailman  12892 12890  0 11:17 ?        00:00:02 /usr/bin/python /usr/local/cpane
mailman  12893 12890  0 11:17 ?        00:00:01 /usr/bin/python /usr/local/cpane
mailman  12894 12890  0 11:17 ?        00:00:02 /usr/bin/python /usr/local/cpane
mailman  12895 12890  0 11:17 ?        00:00:01 /usr/bin/python /usr/local/cpane
mailman  12896 12890  0 11:17 ?        00:00:02 /usr/bin/python /usr/local/cpane
mailman  12897 12890  0 11:17 ?        00:00:02 /usr/bin/python /usr/local/cpane
mailman  12898 12890  0 11:17 ?        00:00:00 /usr/bin/python /usr/local/cpane
root     18367     1  0 Mar21 ?        00:00:00 /usr/bin/python -Es /usr/bin/fai
root     19644  1419  0 Mar18 ?        00:00:00 sshd: unknown [priv]
sshd     19645 19644  0 Mar18 ?        00:00:00 sshd: unknown [net]
root     19713  1419  0 Mar19 ?        00:00:00 sshd: root [priv]
sshd     19714 19713  0 Mar19 ?        00:00:00 sshd: root [net]
root     19937  1419  0 12:38 ?        00:00:00 sshd: root@pts/1
root     20109 19937  0 12:39 pts/1    00:00:00 -bash
root     20816  1419  0 12:44 ?        00:00:00 sshd: root@pts/2
root     20819 20816  0 12:44 pts/2    00:00:00 -bash
root     21666  1419  0 04:29 ?        00:00:00 sshd: root [priv]
sshd     21667 21666  0 04:29 ?        00:00:00 sshd: root [net]
root     21985  1419  0 04:33 ?        00:00:00 sshd: root [priv]
sshd     21986 21985  0 04:33 ?        00:00:00 sshd: root [net]
root     23160  1419  0 Mar18 ?        00:00:00 sshd: root [priv]
sshd     23161 23160  0 Mar18 ?        00:00:00 sshd: root [net]
root     23331  1419  0 Mar19 ?        00:00:00 sshd: unknown [priv]
sshd     23332 23331  0 Mar19 ?        00:00:00 sshd: unknown [net]
root     23409 11478  0 13:04 ?        00:00:00 /usr/local/cpanel/3rdparty/bin/p
nobody   27199 11478  0 13:32 ?        00:00:02 /usr/sbin/httpd -k start
mailnull 27668     1  0 Mar21 ?        00:00:00 /usr/sbin/exim -ps -bd -q1h -oP
root     27680     1  0 Mar21 ?        00:07:36 spamd-dormant: waiting for conne
32010    27694     1  0 Mar21 ?        00:03:11 /usr/local/cpanel/3rdparty/sbin/
root     30316  1419  0 Mar18 ?        00:00:00 sshd: root [priv]
sshd     30317 30316  0 Mar18 ?        00:00:00 sshd: root [net]
root     30837  1419  0 Mar21 ?        00:00:00 sshd: root [priv]
sshd     30838 30837  0 Mar21 ?        00:00:00 sshd: root [net]
Django Black
  • 1
  • 1
  • 5
    Wipe it and start from scratch. If the server has been compromised then you can no longer trust it, no matter what actions you've taken to clean it and secure it. – joeqwerty Mar 22 '17 at 15:15
  • You should read this: http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server – Lacek Mar 22 '17 at 15:20
  • 2
    And while at it, don't use cPanel with the new server. – Tero Kilkanen Mar 22 '17 at 15:37
  • @TeroKilkanen what would you suggest over cpanel, isn't it the greatest/safest? – Django Black Mar 22 '17 at 16:21
  • 1
    @DjangoBlack The greatest/safest is no control panel at all. Manage your server using ssh and a configuration management system like ansible, salt, etc. – EEAA Mar 22 '17 at 16:49

1 Answers1

3

If the machine has been compromised, it could have installed a rootkit that prevents some processes from appearing in ps, /proc, or on disk. The only safe way forward is to rebuild them machine from trusted sources.

Jason Martin
  • 5,023
  • 17
  • 24