exit at checking process list

[evrynet1]

It looks like the script is broken under CentOS 7 and exit at "Checking process list for suspicious processes". Could you look into this please?

Thank you

[cPanelPeter]

I'm not able to reproduce this on CentOS 7. `# ./csi.pl [INFORMATIONAL]: CSI version: 3.5.9 Checking for a previous run of CSI [INFORMATIONAL]: Setting I/O priority to reduce system load: best-effort: prio 6

Scan started on Fri Mar 18 13:08:38 2022 [INFORMATIONAL]: Usage: /root/csi.pl [functions] [options] [INFORMATIONAL]: See --help for a full list of options

########################################################################

DISCLAIMER! cPanel's Technical Support does not provide

security consultation services. The only support services we

can provide at this time is to perform a minimal analysis of the

possible security breach solely for the purpose of determining if

cPanel's software was involved or used in the security breach.

########################################################################

As with any anti-malware scanning system false positives may occur

If anything suspicious is found, it should be investigated by a

professional security consultant. There are never any guarantees

########################################################################

Checking for RPM database corruption and repairing as necessary...

[ Starting cPanel Security Investigator SCAN Mode ] [ System: Centos Linux release 7.9 ]

[ Available flags when running csi.pl scan ] [ --full Performs a more compreshensive scan (includes the options below)] [ --shadow Scans all accounts for variants of shadow.roottn email hack ] [ --symlink Scans for symlink hacks going back to / ] [ --secadv Performs a Security Advisor run ]

[ Checking logfiles ] [ Checking for bad UIDs ] [ Checking /etc/passwd file for suspicious users ] [ Checking /etc/hosts file for suspicious entries ] [ Checking for known Indicators of Compromise (IoC) ] [ Checking for evidence of DirtyCow within /etc/passwd ] [ Checking installed packages for CVEs ] [ Checking if polkit/policykit has been exploited by CVE-2021-4034 ] [ Checking if Use MD5 passwords with Apache is disabled ] [ Checking for index.html in /tmp and /home ] [ Checking for modified suspended page ] [ Checking for suspicious files ] [ Checking if root bash history has been tampered with ] [ Checking /etc/ld.so.preload for compromised library ] [ Checking process list for suspicious processes ] [ Checking for suspicious bitcoin miners ] [ Checking reseller ACLs ] [ Checking if /var/cpanel/authn/api_tokens_v2/whostmgr/root.json is IMMUTABLE ] [ Checking /usr/local/cpanel/logs/api_tokens_log for passwd changes ] [ Checking for PHP backdoors in unprotected path ] [ Checking for miscellaneous compromises ] [ Checking Binary Headers ] [ Checking Apache Modules ] [ Checking for sshd_config ] [ Checking vm.nr.hugepages in /proc/sys/vm ] [ Checking for modified/hacked SSH ] [ Checking /root/.bash_history for anomalies ] [ Checking for non-root users with ALL privileges in /etc/sudoers file ] [ Checking for spam sending script in /tmp ] [ Checking user level crons for suspicious entries ] [ Checking for ransomwareEXX ] [ Checking kernel status ] [ Checking for suspicious MySQL users (Including Super privileges) ] [ Checking for unowned files/libraries ] [ Checking /etc/group for suspicious users ]

Looking for recommendations

[ Checking if updates are enabled ] [ Checking for mod_security ] [ Checking for Two-Factor Authentication ] [ Checking login_access Tweak Setting ] [ Checking for accesshash ] [ Checking if SymLinkProtection is enabled ] [ Checking setting of Cookie IP Validation ] [ Checking setting of X-Frame/X-Content Type headers with cpsrvd ] [ Checking for deprecated plugins/modules ] [ Gathering the IP addresses that logged on successfully as root ] [ cPanel Security Investigator Complete! ] [ CSI Summary ]

Congratulations, no negative items found!

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [INFORMATIONAL]: The following is just informational

The following IP address(es) logged on via SSH successfully as root (in Mar): _ IP: 10.3.9.90 _ IP: 10.3.9.74 _ IP: 10.3.9.68 _ IP: 10.3.9.63 _ IP: 10.3.9.17 _ IP: 10.3.9.253 _ IP: 10.3.9.249 _ IP: 10.3.9.216 _ IP: 10.7.10.236 _ IP: 10.3.9.183 _ IP: 10.3.9.173

Do you recognize the above IP addresses? If not, then further investigation should be performed by a qualified security specialist. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [RECOMMENDATIONS]: You should consider making the following recommendations:

PermitRootLogin is set to yes in /etc/ssh/sshd_config - consider setting to no or without-password instead! PasswordAuthentication is set to yes in /etc/ssh/sshd_config - consider using ssh keys instead! Mod Security is installed but there were no active Mod Security vendor rules found. Two-Factor Authentication Policy is disabled - Consider enabling this. Consider changing Accounts that can access cPanel user account to cPanel User Only.

Scan completed on Fri Mar 18 13:09:23 2022 Elapsed Time: 45 seconds`

Please run csi.pl with the --debug flag (lots of info will be printed, but if there are errors during the suspicious process check, it should tell you.

[evrynet1]

@cPanelPeter here you are:

[ Checking process list for suspicious processes ] Unmatched ( in regex; marked by <-- HERE in m/root 854 /usr/bin/abrt-watch-log -F BUG: WARNING: at WARNING: CPU: INFO: possible recursive locking detected ernel BUG at listdel corruption listadd corruption doIRQ: stack overflow: ear stack overflow( <-- HERE cur: eneral protection fault nable to handle kernel ouble fault: RTNL: assertion failed eek! pagemapcount(page) went negative! adness at NETDEV WATCHDOG ysctl table check failed : nobody cared IRQ handler type mismatch Kernel panic - not syncing: Machine Check Exception: Machine check events logged divide error: bounds: coprocessor segment overrun: invalid TSS: segment not present: invalid opcode: alignment check: stack segment: fpu exception: simd exception: iret exception: /var/log/messages -- /usr/bin/abrt-dump-oops -xtD/ at ./csi.pl line 960.

Let me know if I can do anything else to help.

[root@172-16-4-195 ~]# uname -r 3.10.0-962.3.2.lve1.5.66.el7.x86_64 [root@172-16-4-195 ~]# cat /etc/redhat-release CloudLinux release 7.9 (Boris Yegorov) [root@172-16-4-195 ~]#

Thanks, Andrew

[cPanelPeter]

He Andrew,

That looks like your server is kernel panicking. Are you running KernelCare? When was the last kernel update? How long since your last reboot?

Can you also provide the following ps output: ps --no-header --width=1000 axwwwf -o 'user,pid,args' | grep 854

[evrynet1]

Here you are:

root 854 /usr/bin/abrt-watch-log -F BUG: WARNING: at WARNING: CPU: INFO: possible recursive locking detected ernel BUG at list_del corruption list_add corruption do_IRQ: stack overflow: ear stack overflow (cur: eneral protection fault nable to handle kernel ouble fault: RTNL: assertion failed eek! pagemapcount(page) went negative! adness at NETDEV WATCHDOG ysctl table check failed : nobody cared IRQ handler type mismatch Kernel panic - not syncing: Machine Check Exception: Machine check events logged divide error: bounds: coprocessor segment overrun: invalid TSS: segment not present: invalid opcode: alignment check: stack segment: fpu exception: simd exception: iret exception: /var/log/messages -- /usr/bin/abrt-dump-oops -xtD root 8554 | _ grep --color=auto 854 mailnull 8541 _ /usr/sbin/exim -ps -bd -q15m -oP /var/spool/exim/exim-daemon.pid mailnull 8542 \ /usr/sbin/exim -ps -bd -q15m -oP /var/spool/exim/exim-daemon.pid

I just ran this on 2 other servers both being CentOS 7 (not CL7) and one is okay but on the other getting the same:

[ Checking process list for suspicious processes ] Unmatched ( in regex; marked by <-- HERE in m/root 1520 /usr/bin/abrt-watch-log -F BUG: WARNING: at WARNING: CPU: INFO: possible recursive locking detected ernel BUG at listdel corruption listadd corruption doIRQ: stack overflow: ear stack overflow ( <-- HERE cur: eneral protection fault nable to handle kernel ouble fault: RTNL: assertion failed eek! pagemapcount(page) went negative! adness at NETDEV WATCHDOG ysctl table check failed : nobody cared IRQ handler type mismatch Kernel panic - not syncing: Machine Check Exception: Machine check events logged divide error: bounds: coprocessor segment overrun: invalid TSS: segment not present: invalid opcode: alignment check: stack segment: fpu exception: simd exception: iret exception: /var/log/messages -- /usr/bin/abrt-dump-oops -xtD/ at ./csi.pl line 960. [root@xxxx ~]# cat /etc/redhat-release CentOS Linux release 7.9.2009 (Core) [root@xxxx ~]# ps --no-header --width=1000 axwwwf -o 'user,pid,args' | grep 1520 root 1520 /usr/bin/abrt-watch-log -F BUG: WARNING: at WARNING: CPU: INFO: possible recursive locking detected ernel BUG at list_del corruption list_add corruption do_IRQ: stack overflow: ear stack overflow (cur: eneral protection fault nable to handle kernel ouble fault: RTNL: assertion failed eek! pagemapcount(page) went negative! adness at NETDEV WATCHDOG ysctl table check failed : nobody cared IRQ handler type mismatch Kernel panic - not syncing: Machine Check Exception: Machine check events logged divide error: bounds: coprocessor segment overrun: invalid TSS: segment not present: invalid opcode: alignment check: stack segment: fpu exception: simd exception: iret exception: /var/log/messages -- /usr/bin/abrt-dump-oops -xtD root 18049 \ grep --color=auto 1520 [root@xxxx ~]#

[evrynet1]

@cPanelPeter on one yes we have KernelCare (xxx) and on the other one we don't.

[cPanelPeter]

Very strange. OK. Thank you. I will see what I can come up with. For now, you can just comment out the subroutine that checks suspicious processes. It may be a few days before I can get a fix out. This will require a bit more research.

[evrynet1]

@cPanelPeter all right. If you need access to the servers I can open a ticket and send you the ticket number here. thanks

[cPanelPeter]

Hello,

I have released another version of CSI and have re-written the suspicious process subroutine. Please try this and let me know if you still see issues.

[evrynet1]

Hey Peter. I tried this on 2 servers now (sadly don't have access to the other one anymore) and it seems to be okay now. I hope it will also work fine with Almalinux 8 too :)

Thank you once again.