Strange core named files on hostbill, I'm hacked ?

Started by andika, March 21, 2017, 05:05:24 AM

Print
Go Down Pages1
User actions

andika

March 21, 2017, 05:05:24 AM Last Edit: March 21, 2017, 05:10:58 AM by andika
Hello,

I have noticed strange file names inside hostbill folders. I have 5 core.x files on hostbill home folder, i.e. core.2401, core.6010, etc.  Also 2 files with same name on admin folder. Each file have 32-50mb in size with permission rw (600), Is this normal ? They are filled with binary code. Should I delete them ?

hbillclient

#1
March 21, 2017, 06:47:33 AM
Hi,

There are no such files in HB as far as I do know and is quite strange. And since you also say - it is binary code, I would suggest moving those files off the server to a safe location for any analysis later on.

I hope you have backups in place - just in case you are somehow hacked or something.

Thanks.

andika

#2
March 21, 2017, 02:36:06 PM
I have moved them to a different folder. Its binary code inside, what could I analyze inside this files ?

BRJP

#3
March 25, 2017, 05:28:52 PM
I wonder if these are core dump files that are created on serious errors at a software or hardware level. They would be binary and very large as its a snapshot in time of all information what is going on when an event/error occurs. This is then used for analysis.

Have you had any serious issues that you remember?
Kind regards,
Bradley Porter
--------------------
Find out more about SaneChoice Services at: https://www.sanechoice.cloud/

andika

#4
March 31, 2017, 07:36:48 AM
Quote from: BRJP on March 25, 2017, 05:28:52 PM
I wonder if these are core dump files that are created on serious errors at a software or hardware level. They would be binary and very large as its a snapshot in time of all information what is going on when an event/error occurs. This is then used for analysis.

Have you had any serious issues that you remember?

I just got them everyday, looking on google they seem generated by errors.  But generated by who ? By hostbill ?? I' have updated recently php version on server from 5.4 to 5.6. Can this be the cause ? How to dig deeper ? How to read the dump file because binary file shows only non sense binary code.

tallship

#5
April 04, 2017, 05:39:28 PM Last Edit: April 04, 2017, 05:46:40 PM by tallship
Quite odd... Core files are usually OS and kernel related dumps, while HostBill is basically just a PHP script, so yes I would tend to concur with @BRJP and I recommend looking at integrating something like:

1.) https://github.com/Tripwire/tripwire-open-source (https://en.wikipedia.org/wiki/Open_Source_Tripwire)

2.) http://aide.sourceforge.net/

3.) http://la-samhna.de/samhain/

4.) http://people.redhat.com/sgrubb/audit/

5.) http://temasoft.com/products/filemonitor/

kfsmd still works well too, although it's rather dated. Here's some additional reading for inotify and kfsmd, etc., that you can follow along with to glean whether this is a tool for your particular situation:

http://unix.stackexchange.com/questions/12247/linux-file-access-monitoring

https://linux-audit.com/monitoring-linux-file-access-changes-and-modifications/

http://inotify.aiken.cz/?section=incron&page=about&lang=en

http://stackoverflow.com/questions/4205815/monitoring-file-and-directory-access-on-linux

https://gist.github.com/mikesmullin/6401258

https://linux-audit.com/monitoring-linux-file-access-changes-and-modifications/

You should already be running something like Samhain and/or OSSEC on your machine anyway.

I hope that helps :)
Bradley D. Thornton - Manager Network Services, NorthTech Computer   TEL: +1.310.388.9469 (US) | +44.203.318.2755 (UK) | +61.390.088.072 (AU) | +41.43.508.05.10 (CH)
Registered Linux User #190795 - "Ask Bill why the string in [MS-DOS] function 9 is terminated by a dollar sign. Ask him, because he can't answer. Only I know that." - Dr. Gary Kildall.

andika

#6
April 05, 2017, 02:52:20 AM
Quote from: tallship on April 04, 2017, 05:39:28 PM
Quite odd... Core files are usually OS and kernel related dumps, while HostBill is basically just a PHP script, so yes I would tend to concur with @BRJP and I recommend looking at integrating something like:

1.) https://github.com/Tripwire/tripwire-open-source (https://en.wikipedia.org/wiki/Open_Source_Tripwire)

2.) http://aide.sourceforge.net/

3.) http://la-samhna.de/samhain/

4.) http://people.redhat.com/sgrubb/audit/

5.) http://temasoft.com/products/filemonitor/

kfsmd still works well too, although it's rather dated. Here's some additional reading for inotify and kfsmd, etc., that you can follow along with to glean whether this is a tool for your particular situation:

http://unix.stackexchange.com/questions/12247/linux-file-access-monitoring

https://linux-audit.com/monitoring-linux-file-access-changes-and-modifications/

http://inotify.aiken.cz/?section=incron&page=about&lang=en

http://stackoverflow.com/questions/4205815/monitoring-file-and-directory-access-on-linux

https://gist.github.com/mikesmullin/6401258

https://linux-audit.com/monitoring-linux-file-access-changes-and-modifications/

You should already be running something like Samhain and/or OSSEC on your machine anyway.

I hope that helps :)

Thank you, I will try that.
Print
Go Up Pages1
User actions