Cpanel servers + Finding immutable files and directories

If you own cpanel servers and somehow you detect that most of the accounts have immutable files, you can use below commands to find them and disable them.

As you know immutable files and directories, which cannot be done by cpanel user, then the only possibility is that hackers made them.

You must have seen this error while removing a cpanel account if you are a system admin or own a cpanel server.

The "cpanel_username" account can not be removed because an administrator has set one of the user's directories as "immutable", meaning it can not be deleted:

Thus if the files and directories are immutable, until we remove the attribute, even root can't perform deletion.


-----

find /home/username -type d -exec lsattr -d {} + | egrep '^S [uia]S '

---


The above script will check if there any files and directories with immutable file permission of 'i' and 'a'

Users can not set the "i" or "a" attributes on files and directories, this must be done by someone that possesses the capabilities of the root user, such as a system administrator or an attacker who has gained root privileges.

If you suspect the server and need to do a full scan


--

find /home -path /home/virtfs -prune -o -type d -exec lsattr -d {} + | egrep '^S [uia]S '

----i--------e- /home/user1/public_html/wp-content/themes/small-business/inc/images
----i--------e- /home/user2/public_html/wp-content/themes/vantage/fontawesome
----i--------e- /home/user3/public_html/wp-content/themes/vantage/extras/settings/js
----i--------e- /home/user4/public_html/wp-content/themes/full-frame/css
----i--------e- /home/user5/public_html/wp-content/themes/asteria-lite/redux/inc/fields/image_select
----i--------e- /home/user6/public_html/wp-content/themes/colorway/images
--


The above will find the same in /home for all accounts


Find immutable directories:

find /home -path /home/virtfs -prune -o -type d -exec lsattr -d {} + | egrep '^S [uia]S '

Find immutable files:

find /home -path /home/virtfs -prune -o -type f -exec lsattr {} + | egrep '^S [uia]S '


To terminate any of these accounts, you must remove any immutable, append-only, or undeletable attributes from any files or directories of the user.

You can simply run chattr -iau path

to remove any 'i' or 'a' immutable attributes

Regarding the existence of these immutable attributes, if you are not aware that these attributes were set by a legitimate administrator of the server, then the right thing to do in this situation is to consider the server to be compromised at the root level by a malicious attacker, because these attributes may have been set by the attacker to prevent removal of malware installed on web sites
----------------------------------------***************************------------------------------------------

Top News