Understanding the audit log [on hold] The Next CEO of Stack OverflowHow do I configure SELinux to allow outbound connections from a CGI script?How to interpret the “saddr” field of an audit log?File path in audit log instead of inode numberLinux ssh log auditHow to disable useless “audit success” log entries in dmesgUndocumented format of Linux Audit log recordsViewing relevant information about file accesses from the audit logConfiguring Solaris 11 AuditHostname in the audit reports not shownWhat is the Windows equivalent of 'Audit log cleared' event in Unix/Linux?

Does the Idaho Potato Commission associate potato skins with healthy eating?

what's the use of '% to gdp' type of variables?

Can someone explain this formula for calculating Manhattan distance?

Calculate the Mean mean of two numbers

Defamation due to breach of confidentiality

What is the difference between "hamstring tendon" and "common hamstring tendon"?

Can I board the first leg of the flight without having final country's visa?

Computationally populating tables with probability data

How to avoid supervisors with prejudiced views?

Is fine stranded wire ok for main supply line?

Expectation in a stochastic differential equation

Traveling with my 5 year old daughter (as the father) without the mother from Germany to Mexico

Is it ok to trim down a tube patch?

Inexact numbers as keys in Association?

What does "shotgun unity" refer to here in this sentence?

What was Carter Burke's job for "the company" in Aliens?

What CSS properties can the br tag have?

A question about free fall, velocity, and the height of an object.

Spaces in which all closed sets are regular closed

Airplane gently rocking its wings during whole flight

Is there an equivalent of cd - for cp or mv

Is there such a thing as a proper verb, like a proper noun?

Is French Guiana a (hard) EU border?

Do scriptures give a method to recognize a truly self-realized person/jivanmukta?



Understanding the audit log [on hold]



The Next CEO of Stack OverflowHow do I configure SELinux to allow outbound connections from a CGI script?How to interpret the “saddr” field of an audit log?File path in audit log instead of inode numberLinux ssh log auditHow to disable useless “audit success” log entries in dmesgUndocumented format of Linux Audit log recordsViewing relevant information about file accesses from the audit logConfiguring Solaris 11 AuditHostname in the audit reports not shownWhat is the Windows equivalent of 'Audit log cleared' event in Unix/Linux?










0















I need to understand the log below, my index.php got obfuscated with the following code, the file permissions changed from 644 to 755 as well.



I've got something in my audit but can't really tell what and how it happened, I was hoping for the actual way. The file got edited (obfuscated code inserted and chmod changed), log is below.



----
time->Sun Mar 31 17:19:20 2019
type=PROCTITLE msg=audit(1554067160.319:12831615): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067160.319:12831615): item=0 name="/home/usersite/public_html/index.php" inode=576615421 dev=09:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067160.319:12831615): cwd="/home/usersite"
type=SYSCALL msg=audit(1554067160.319:12831615): arch=c000003e syscall=2 success=yes exit=5 a0=7ffea4ae5540 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13524 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:20 2019
type=PROCTITLE msg=audit(1554067160.335:12831626): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067160.335:12831626): item=0 name="/home/usersite/public_html/index.php" inode=576615421 dev=09:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067160.335:12831626): cwd="/home/usersite"
type=SYSCALL msg=audit(1554067160.335:12831626): arch=c000003e syscall=2 success=yes exit=5 a0=7ffea4ae5540 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13526 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:20 2019
type=PROCTITLE msg=audit(1554067160.996:12832312): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067160.996:12832312): item=0 name="/home/usersite/public_html/index.php" inode=576615421 dev=09:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067160.996:12832312): cwd="/home/usersite"
type=SYSCALL msg=audit(1554067160.996:12832312): arch=c000003e syscall=2 success=yes exit=5 a0=7ffea4ae5540 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13531 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:23 2019
type=PROCTITLE msg=audit(1554067163.223:12837949): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067163.223:12837949): item=0 name="/home/usersite/public_html/wp-content/themes/twentythirteen/index.php" inode=1135033766 dev=09:01 mode=0100644 ouid=1121 ogid=1123 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067163.223:12837949): cwd="/home/usersite/public_html"
type=SYSCALL msg=audit(1554067163.223:12837949): arch=c000003e syscall=2 success=yes exit=5 a0=7ffea4ae3260 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13531 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:22 2019
type=PROCTITLE msg=audit(1554067162.162:12834748): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067162.162:12834748): item=0 name="/home/usersite/public_html/wp-content/themes/twentythirteen/index.php" inode=1135033766 dev=09:01 mode=0100644 ouid=1121 ogid=1123 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067162.162:12834748): cwd="/home/usersite/public_html"
type=SYSCALL msg=audit(1554067162.162:12834748): arch=c000003e syscall=2 success=yes exit=6 a0=7ffea4ae3260 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13531 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:22 2019
type=PROCTITLE msg=audit(1554067162.162:12834749): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067162.162:12834749): item=0 name="/home/usersite/public_html/wp-content/themes/twentythirteen/index.php" inode=1135033766 dev=09:01 mode=0100644 ouid=1121 ogid=1123 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067162.162:12834749): cwd="/home/usersite/public_html"
type=SYSCALL msg=audit(1554067162.162:12834749): arch=c000003e syscall=2 success=yes exit=6 a0=7ffea4ae3260 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13526 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:22 2019
type=PROCTITLE msg=audit(1554067162.700:12836618): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067162.700:12836618): item=0 name="/home/usersite/public_html/wp-content/themes/twentythirteen/index.php" inode=1135033766 dev=09:01 mode=0100644 ouid=1121 ogid=1123 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067162.700:12836618): cwd="/home/usersite/public_html"
type=SYSCALL msg=audit(1554067162.700:12836618): arch=c000003e syscall=2 success=yes exit=5 a0=7ffea4ae3260 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13541 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:22 2019
type=PROCTITLE msg=audit(1554067162.733:12836797): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067162.733:12836797): item=0 name="/home/usersite/public_html/wp-content/themes/twentythirteen/index.php" inode=1135033766 dev=09:01 mode=0100644 ouid=1121 ogid=1123 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067162.733:12836797): cwd="/home/usersite/public_html"
type=SYSCALL msg=audit(1554067162.733:12836797): arch=c000003e syscall=2 success=yes exit=5 a0=7ffea4ae3260 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13540 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:22 2019
type=PROCTITLE msg=audit(1554067162.766:12836929): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067162.766:12836929): item=0 name="/home/usersite/public_html/wp-content/themes/twentythirteen/index.php" inode=1135033766 dev=09:01 mode=0100644 ouid=1121 ogid=1123 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067162.766:12836929): cwd="/home/usersite/public_html"
type=SYSCALL msg=audit(1554067162.766:12836929): arch=c000003e syscall=2 success=yes exit=6 a0=7ffea4ae3260 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13524 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----





centos logs audit malware







share|improve this question















put on hold as off-topic by slm 2 days ago


This question appears to be off-topic. The users who voted to close gave this specific reason:


  • "Questions describing a problem that can't be reproduced and seemingly went away on its own (or went away when a typo was fixed) are off-topic as they are unlikely to help future readers." – slm
If this question can be reworded to fit the rules in the help center, please edit the question.











  • 1





    The @include string reads, after decoding the nnn codes as octal ASCII codes, /home/wrtsdavie/public_html/wp-content/upgrade/.b16b41d4.ico.

    – Kusalananda
    2 days ago











  • Hey @Kusalananda thanks, I've found that file and removed it. The question is how the file got modified, I had the audit rule running on that index.php as you can see.

    – evul
    2 days ago











  • Ufh, it looks like my audit happened after the file was changed. Figured out by using stat on index.php file. Thanks everyone

    – evul
    2 days ago















0















I need to understand the log below, my index.php got obfuscated with the following code, the file permissions changed from 644 to 755 as well.



I've got something in my audit but can't really tell what and how it happened, I was hoping for the actual way. The file got edited (obfuscated code inserted and chmod changed), log is below.



----
time->Sun Mar 31 17:19:20 2019
type=PROCTITLE msg=audit(1554067160.319:12831615): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067160.319:12831615): item=0 name="/home/usersite/public_html/index.php" inode=576615421 dev=09:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067160.319:12831615): cwd="/home/usersite"
type=SYSCALL msg=audit(1554067160.319:12831615): arch=c000003e syscall=2 success=yes exit=5 a0=7ffea4ae5540 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13524 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:20 2019
type=PROCTITLE msg=audit(1554067160.335:12831626): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067160.335:12831626): item=0 name="/home/usersite/public_html/index.php" inode=576615421 dev=09:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067160.335:12831626): cwd="/home/usersite"
type=SYSCALL msg=audit(1554067160.335:12831626): arch=c000003e syscall=2 success=yes exit=5 a0=7ffea4ae5540 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13526 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:20 2019
type=PROCTITLE msg=audit(1554067160.996:12832312): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067160.996:12832312): item=0 name="/home/usersite/public_html/index.php" inode=576615421 dev=09:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067160.996:12832312): cwd="/home/usersite"
type=SYSCALL msg=audit(1554067160.996:12832312): arch=c000003e syscall=2 success=yes exit=5 a0=7ffea4ae5540 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13531 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:23 2019
type=PROCTITLE msg=audit(1554067163.223:12837949): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067163.223:12837949): item=0 name="/home/usersite/public_html/wp-content/themes/twentythirteen/index.php" inode=1135033766 dev=09:01 mode=0100644 ouid=1121 ogid=1123 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067163.223:12837949): cwd="/home/usersite/public_html"
type=SYSCALL msg=audit(1554067163.223:12837949): arch=c000003e syscall=2 success=yes exit=5 a0=7ffea4ae3260 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13531 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:22 2019
type=PROCTITLE msg=audit(1554067162.162:12834748): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067162.162:12834748): item=0 name="/home/usersite/public_html/wp-content/themes/twentythirteen/index.php" inode=1135033766 dev=09:01 mode=0100644 ouid=1121 ogid=1123 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067162.162:12834748): cwd="/home/usersite/public_html"
type=SYSCALL msg=audit(1554067162.162:12834748): arch=c000003e syscall=2 success=yes exit=6 a0=7ffea4ae3260 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13531 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:22 2019
type=PROCTITLE msg=audit(1554067162.162:12834749): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067162.162:12834749): item=0 name="/home/usersite/public_html/wp-content/themes/twentythirteen/index.php" inode=1135033766 dev=09:01 mode=0100644 ouid=1121 ogid=1123 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067162.162:12834749): cwd="/home/usersite/public_html"
type=SYSCALL msg=audit(1554067162.162:12834749): arch=c000003e syscall=2 success=yes exit=6 a0=7ffea4ae3260 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13526 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:22 2019
type=PROCTITLE msg=audit(1554067162.700:12836618): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067162.700:12836618): item=0 name="/home/usersite/public_html/wp-content/themes/twentythirteen/index.php" inode=1135033766 dev=09:01 mode=0100644 ouid=1121 ogid=1123 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067162.700:12836618): cwd="/home/usersite/public_html"
type=SYSCALL msg=audit(1554067162.700:12836618): arch=c000003e syscall=2 success=yes exit=5 a0=7ffea4ae3260 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13541 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:22 2019
type=PROCTITLE msg=audit(1554067162.733:12836797): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067162.733:12836797): item=0 name="/home/usersite/public_html/wp-content/themes/twentythirteen/index.php" inode=1135033766 dev=09:01 mode=0100644 ouid=1121 ogid=1123 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067162.733:12836797): cwd="/home/usersite/public_html"
type=SYSCALL msg=audit(1554067162.733:12836797): arch=c000003e syscall=2 success=yes exit=5 a0=7ffea4ae3260 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13540 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:22 2019
type=PROCTITLE msg=audit(1554067162.766:12836929): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067162.766:12836929): item=0 name="/home/usersite/public_html/wp-content/themes/twentythirteen/index.php" inode=1135033766 dev=09:01 mode=0100644 ouid=1121 ogid=1123 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067162.766:12836929): cwd="/home/usersite/public_html"
type=SYSCALL msg=audit(1554067162.766:12836929): arch=c000003e syscall=2 success=yes exit=6 a0=7ffea4ae3260 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13524 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----





centos logs audit malware







share|improve this question















put on hold as off-topic by slm 2 days ago


This question appears to be off-topic. The users who voted to close gave this specific reason:


  • "Questions describing a problem that can't be reproduced and seemingly went away on its own (or went away when a typo was fixed) are off-topic as they are unlikely to help future readers." – slm
If this question can be reworded to fit the rules in the help center, please edit the question.











  • 1





    The @include string reads, after decoding the nnn codes as octal ASCII codes, /home/wrtsdavie/public_html/wp-content/upgrade/.b16b41d4.ico.

    – Kusalananda
    2 days ago











  • Hey @Kusalananda thanks, I've found that file and removed it. The question is how the file got modified, I had the audit rule running on that index.php as you can see.

    – evul
    2 days ago











  • Ufh, it looks like my audit happened after the file was changed. Figured out by using stat on index.php file. Thanks everyone

    – evul
    2 days ago













0












0








0








I need to understand the log below, my index.php got obfuscated with the following code, the file permissions changed from 644 to 755 as well.



I've got something in my audit but can't really tell what and how it happened, I was hoping for the actual way. The file got edited (obfuscated code inserted and chmod changed), log is below.



----
time->Sun Mar 31 17:19:20 2019
type=PROCTITLE msg=audit(1554067160.319:12831615): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067160.319:12831615): item=0 name="/home/usersite/public_html/index.php" inode=576615421 dev=09:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067160.319:12831615): cwd="/home/usersite"
type=SYSCALL msg=audit(1554067160.319:12831615): arch=c000003e syscall=2 success=yes exit=5 a0=7ffea4ae5540 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13524 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:20 2019
type=PROCTITLE msg=audit(1554067160.335:12831626): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067160.335:12831626): item=0 name="/home/usersite/public_html/index.php" inode=576615421 dev=09:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067160.335:12831626): cwd="/home/usersite"
type=SYSCALL msg=audit(1554067160.335:12831626): arch=c000003e syscall=2 success=yes exit=5 a0=7ffea4ae5540 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13526 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:20 2019
type=PROCTITLE msg=audit(1554067160.996:12832312): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067160.996:12832312): item=0 name="/home/usersite/public_html/index.php" inode=576615421 dev=09:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067160.996:12832312): cwd="/home/usersite"
type=SYSCALL msg=audit(1554067160.996:12832312): arch=c000003e syscall=2 success=yes exit=5 a0=7ffea4ae5540 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13531 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:23 2019
type=PROCTITLE msg=audit(1554067163.223:12837949): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067163.223:12837949): item=0 name="/home/usersite/public_html/wp-content/themes/twentythirteen/index.php" inode=1135033766 dev=09:01 mode=0100644 ouid=1121 ogid=1123 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067163.223:12837949): cwd="/home/usersite/public_html"
type=SYSCALL msg=audit(1554067163.223:12837949): arch=c000003e syscall=2 success=yes exit=5 a0=7ffea4ae3260 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13531 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:22 2019
type=PROCTITLE msg=audit(1554067162.162:12834748): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067162.162:12834748): item=0 name="/home/usersite/public_html/wp-content/themes/twentythirteen/index.php" inode=1135033766 dev=09:01 mode=0100644 ouid=1121 ogid=1123 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067162.162:12834748): cwd="/home/usersite/public_html"
type=SYSCALL msg=audit(1554067162.162:12834748): arch=c000003e syscall=2 success=yes exit=6 a0=7ffea4ae3260 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13531 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:22 2019
type=PROCTITLE msg=audit(1554067162.162:12834749): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067162.162:12834749): item=0 name="/home/usersite/public_html/wp-content/themes/twentythirteen/index.php" inode=1135033766 dev=09:01 mode=0100644 ouid=1121 ogid=1123 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067162.162:12834749): cwd="/home/usersite/public_html"
type=SYSCALL msg=audit(1554067162.162:12834749): arch=c000003e syscall=2 success=yes exit=6 a0=7ffea4ae3260 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13526 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:22 2019
type=PROCTITLE msg=audit(1554067162.700:12836618): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067162.700:12836618): item=0 name="/home/usersite/public_html/wp-content/themes/twentythirteen/index.php" inode=1135033766 dev=09:01 mode=0100644 ouid=1121 ogid=1123 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067162.700:12836618): cwd="/home/usersite/public_html"
type=SYSCALL msg=audit(1554067162.700:12836618): arch=c000003e syscall=2 success=yes exit=5 a0=7ffea4ae3260 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13541 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:22 2019
type=PROCTITLE msg=audit(1554067162.733:12836797): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067162.733:12836797): item=0 name="/home/usersite/public_html/wp-content/themes/twentythirteen/index.php" inode=1135033766 dev=09:01 mode=0100644 ouid=1121 ogid=1123 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067162.733:12836797): cwd="/home/usersite/public_html"
type=SYSCALL msg=audit(1554067162.733:12836797): arch=c000003e syscall=2 success=yes exit=5 a0=7ffea4ae3260 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13540 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:22 2019
type=PROCTITLE msg=audit(1554067162.766:12836929): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067162.766:12836929): item=0 name="/home/usersite/public_html/wp-content/themes/twentythirteen/index.php" inode=1135033766 dev=09:01 mode=0100644 ouid=1121 ogid=1123 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067162.766:12836929): cwd="/home/usersite/public_html"
type=SYSCALL msg=audit(1554067162.766:12836929): arch=c000003e syscall=2 success=yes exit=6 a0=7ffea4ae3260 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13524 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----





centos logs audit malware







share|improve this question
















I need to understand the log below, my index.php got obfuscated with the following code, the file permissions changed from 644 to 755 as well.



I've got something in my audit but can't really tell what and how it happened, I was hoping for the actual way. The file got edited (obfuscated code inserted and chmod changed), log is below.



----
time->Sun Mar 31 17:19:20 2019
type=PROCTITLE msg=audit(1554067160.319:12831615): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067160.319:12831615): item=0 name="/home/usersite/public_html/index.php" inode=576615421 dev=09:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067160.319:12831615): cwd="/home/usersite"
type=SYSCALL msg=audit(1554067160.319:12831615): arch=c000003e syscall=2 success=yes exit=5 a0=7ffea4ae5540 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13524 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:20 2019
type=PROCTITLE msg=audit(1554067160.335:12831626): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067160.335:12831626): item=0 name="/home/usersite/public_html/index.php" inode=576615421 dev=09:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067160.335:12831626): cwd="/home/usersite"
type=SYSCALL msg=audit(1554067160.335:12831626): arch=c000003e syscall=2 success=yes exit=5 a0=7ffea4ae5540 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13526 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:20 2019
type=PROCTITLE msg=audit(1554067160.996:12832312): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067160.996:12832312): item=0 name="/home/usersite/public_html/index.php" inode=576615421 dev=09:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067160.996:12832312): cwd="/home/usersite"
type=SYSCALL msg=audit(1554067160.996:12832312): arch=c000003e syscall=2 success=yes exit=5 a0=7ffea4ae5540 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13531 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:23 2019
type=PROCTITLE msg=audit(1554067163.223:12837949): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067163.223:12837949): item=0 name="/home/usersite/public_html/wp-content/themes/twentythirteen/index.php" inode=1135033766 dev=09:01 mode=0100644 ouid=1121 ogid=1123 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067163.223:12837949): cwd="/home/usersite/public_html"
type=SYSCALL msg=audit(1554067163.223:12837949): arch=c000003e syscall=2 success=yes exit=5 a0=7ffea4ae3260 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13531 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:22 2019
type=PROCTITLE msg=audit(1554067162.162:12834748): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067162.162:12834748): item=0 name="/home/usersite/public_html/wp-content/themes/twentythirteen/index.php" inode=1135033766 dev=09:01 mode=0100644 ouid=1121 ogid=1123 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067162.162:12834748): cwd="/home/usersite/public_html"
type=SYSCALL msg=audit(1554067162.162:12834748): arch=c000003e syscall=2 success=yes exit=6 a0=7ffea4ae3260 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13531 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:22 2019
type=PROCTITLE msg=audit(1554067162.162:12834749): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067162.162:12834749): item=0 name="/home/usersite/public_html/wp-content/themes/twentythirteen/index.php" inode=1135033766 dev=09:01 mode=0100644 ouid=1121 ogid=1123 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067162.162:12834749): cwd="/home/usersite/public_html"
type=SYSCALL msg=audit(1554067162.162:12834749): arch=c000003e syscall=2 success=yes exit=6 a0=7ffea4ae3260 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13526 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:22 2019
type=PROCTITLE msg=audit(1554067162.700:12836618): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067162.700:12836618): item=0 name="/home/usersite/public_html/wp-content/themes/twentythirteen/index.php" inode=1135033766 dev=09:01 mode=0100644 ouid=1121 ogid=1123 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067162.700:12836618): cwd="/home/usersite/public_html"
type=SYSCALL msg=audit(1554067162.700:12836618): arch=c000003e syscall=2 success=yes exit=5 a0=7ffea4ae3260 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13541 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:22 2019
type=PROCTITLE msg=audit(1554067162.733:12836797): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067162.733:12836797): item=0 name="/home/usersite/public_html/wp-content/themes/twentythirteen/index.php" inode=1135033766 dev=09:01 mode=0100644 ouid=1121 ogid=1123 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067162.733:12836797): cwd="/home/usersite/public_html"
type=SYSCALL msg=audit(1554067162.733:12836797): arch=c000003e syscall=2 success=yes exit=5 a0=7ffea4ae3260 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13540 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----
time->Sun Mar 31 17:19:22 2019
type=PROCTITLE msg=audit(1554067162.766:12836929): proctitle=7068702D66706D3A20706F6F6C207765726F636B746865737065637472756D6B6174795F636F6D
type=PATH msg=audit(1554067162.766:12836929): item=0 name="/home/usersite/public_html/wp-content/themes/twentythirteen/index.php" inode=1135033766 dev=09:01 mode=0100644 ouid=1121 ogid=1123 rdev=00:00 obj=system_u:object_r:home_root_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1554067162.766:12836929): cwd="/home/usersite/public_html"
type=SYSCALL msg=audit(1554067162.766:12836929): arch=c000003e syscall=2 success=yes exit=6 a0=7ffea4ae3260 a1=0 a2=1b6 a3=4 items=1 ppid=9239 pid=13524 auid=4294967295 uid=1121 gid=1123 euid=1121 suid=1121 fsuid=1121 egid=1123 sgid=1123 fsgid=1123 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php70/root/usr/sbin/php-fpm" subj=system_u:system_r:unconfined_service_t:s0 key="monitor-hosts"
----





centos logs audit malware




centos logs audit malware






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 4 hours ago







evul

















asked 2 days ago









evulevul

12




12




put on hold as off-topic by slm 2 days ago


This question appears to be off-topic. The users who voted to close gave this specific reason:


  • "Questions describing a problem that can't be reproduced and seemingly went away on its own (or went away when a typo was fixed) are off-topic as they are unlikely to help future readers." – slm
If this question can be reworded to fit the rules in the help center, please edit the question.







put on hold as off-topic by slm 2 days ago


This question appears to be off-topic. The users who voted to close gave this specific reason:


  • "Questions describing a problem that can't be reproduced and seemingly went away on its own (or went away when a typo was fixed) are off-topic as they are unlikely to help future readers." – slm
If this question can be reworded to fit the rules in the help center, please edit the question.







  • 1





    The @include string reads, after decoding the nnn codes as octal ASCII codes, /home/wrtsdavie/public_html/wp-content/upgrade/.b16b41d4.ico.

    – Kusalananda
    2 days ago











  • Hey @Kusalananda thanks, I've found that file and removed it. The question is how the file got modified, I had the audit rule running on that index.php as you can see.

    – evul
    2 days ago











  • Ufh, it looks like my audit happened after the file was changed. Figured out by using stat on index.php file. Thanks everyone

    – evul
    2 days ago












  • 1





    The @include string reads, after decoding the nnn codes as octal ASCII codes, /home/wrtsdavie/public_html/wp-content/upgrade/.b16b41d4.ico.

    – Kusalananda
    2 days ago











  • Hey @Kusalananda thanks, I've found that file and removed it. The question is how the file got modified, I had the audit rule running on that index.php as you can see.

    – evul
    2 days ago











  • Ufh, it looks like my audit happened after the file was changed. Figured out by using stat on index.php file. Thanks everyone

    – evul
    2 days ago







1




1





The @include string reads, after decoding the nnn codes as octal ASCII codes, /home/wrtsdavie/public_html/wp-content/upgrade/.b16b41d4.ico.

– Kusalananda
2 days ago





The @include string reads, after decoding the nnn codes as octal ASCII codes, /home/wrtsdavie/public_html/wp-content/upgrade/.b16b41d4.ico.

– Kusalananda
2 days ago













Hey @Kusalananda thanks, I've found that file and removed it. The question is how the file got modified, I had the audit rule running on that index.php as you can see.

– evul
2 days ago





Hey @Kusalananda thanks, I've found that file and removed it. The question is how the file got modified, I had the audit rule running on that index.php as you can see.

– evul
2 days ago













Ufh, it looks like my audit happened after the file was changed. Figured out by using stat on index.php file. Thanks everyone

– evul
2 days ago





Ufh, it looks like my audit happened after the file was changed. Figured out by using stat on index.php file. Thanks everyone

– evul
2 days ago










0






active

oldest

votes

















0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes

-

Popular posts from this blog

getting Checkpoint VPN SSL Network Extender working in the command lineHow to connect to CheckPoint VPN on Ubuntu 18.04LTS?Will the Linux ( red-hat ) Open VPNC Client connect to checkpoint or nortel VPN gateways?VPN client for linux machine + support checkpoint gatewayVPN SSL Network Extender in FirefoxLinux Checkpoint SNX tool configuration issuesCheck Point - Connect under Linux - snx + OTPSNX VPN Ububuntu 18.XXUsing Checkpoint VPN SSL Network Extender CLI with certificateVPN with network manager (nm-applet) is not workingWill the Linux ( red-hat ) Open VPNC Client connect to checkpoint or nortel VPN gateways?VPN client for linux machine + support checkpoint gatewayImport VPN config files to NetworkManager from command lineTrouble connecting to VPN using network-manager, while command line worksStart a VPN connection with PPTP protocol on command linestarting a docker service daemon breaks the vpn networkCan't connect to vpn with Network-managerVPN SSL Network Extender in FirefoxUsing Checkpoint VPN SSL Network Extender CLI with certificate

Image
If human space travel is limited by the G force vulnerability, is there a way to counter G forces? Did Shadowfax go to Valinor? Do I have a twin with permutated remainders? Blender 2.8 I can't see vertices, edges or faces in edit mode 1960's book about a plague that kills all white people How can I make my BBEG immortal short of making them a Lich or Vampire? Alternative to sending password over mail? Is it inappropriate for a student to attend their mentor's dissertation defense? Why is Collection not simply treated as Collection<?> Took a trip to a parallel universe, need help deciphering Assassin's bullet with mercury Why is it a bad idea to hire a hitman to eliminate most corrupt politicians? I Accidentally Deleted a Stock Terminal Theme Is there a hemisphere-neutral way of specifying a season? What about the virus in 12 Monkeys? Why can't we play rap on piano? Arrow those variables! Today is the Center Modeling an IP Ad...
Read more

Cannot Extend partition with GParted The 2019 Stack Overflow Developer Survey Results Are In Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) 2019 Community Moderator Election ResultsCan't increase partition size with GParted?GParted doesn't recognize the unallocated space after my current partitionWhat is the best way to add unallocated space located before to Ubuntu 12.04 partition with GParted live?I can't figure out how to extend my Arch home partition into free spaceGparted Linux Mint 18.1 issueTrying to extend but swap partition is showing as Unknown in Gparted, shows proper from fdiskRearrange partitions in gparted to extend a partitionUnable to extend partition even though unallocated space is next to it using GPartedAllocate free space to root partitiongparted: how to merge unallocated space with a partition

Image
Make it rain characters Keeping a retro style to sci-fi spaceships? How to split my screen on my Macbook Air? How can I define good in a religion that claims no moral authority? does high air pressure throw off wheel balance? Scientific Reports - Significant Figures Relations between two reciprocal partial derivatives? How to delete random line from file using Unix command? How did passengers keep warm on sail ships? How are presidential pardons supposed to be used? Are my PIs rude or am I just being too sensitive? He got a vote 80% that of Emmanuel Macron’s Change bounding box of math glyphs in LuaTeX Match Roman Numerals Was credit for the black hole image misattributed? How to pronounce 1ターン? how can a perfect fourth interval be considered either consonant or dissonant? Working through the single responsibility principle (SRP) in Python when calls are expensive High Q peak in frequency response means what in time domain? ...
Read more

Marilyn Monroe Ny fiainany manokana | Jereo koa | Meny fitetezanafanitarana azy.

Image
OlonaBiôgrafiaVangovangoMpilalaoMpilalao amin'ny horonantsaryMpamoaka horonantsaryTeraka tamin'ny taona 1926Maty tamin'ny taona 1962 EtazoniaLos Angeles fanitarana azy . Marilyn Monroe Avy amin'i Wikipedia Sauter à la navigation Sauter à la recherche Marilyn Monroe Ankapobeny Anarana Marilyn Monroe Teraka 1 Jiona 1926 Maty 5 Aogositra 1962 Fiaviana sy ny andraikitra Firenena Etazonia Asa : mpilalao mpilalao amin'ny horonantsary mpamoaka horonantsary Fiainana manokana Marilyn Monroe dia mpilalao, mpilalao amin'ny horonantsary, mpamoaka horonantsary mizaka ny zom-pirenen'i Etazonia teraka ny 1 Jiona 1926 tao Los Angeles ary maty ny 5 Aogositra 1962 Ny fiainany manokana | Ny vadiny dia James Dougherty, Joe DiMaggio, Arthur Miller. Jereo koa | Biôgrafia Rohy ivelany | Ao amin'i Freebase: [1] Mbola ambangovangony ity lahatsoratra ity ary tokony hofenoina . Azonao atao ny mandray anjara eto amin'ny Wikipedia amin...
Read more