Phusion_Passenger is this a part of installation or should i be concerned ?

Discussion in 'Server Operation' started by lonerunner, May 29, 2020.

  1. lonerunner

    lonerunner Member

    Recently one of the wordpress websites got hijacked and started sending phishing emails so i started digging to see if there is something else happening except that website template got hacked.

    So i stumbled upon a folder created by apache in /tmp

    Code:
    /tmp/systemd-private-1d38464aaf6145b2aa0544ebf14e188c-apache2.service-W4xLnU/tmp/passenger.T6VSLcs
    And inside that folder there is a content that is looking a little concerning to me, specially passwords stored in .txt files

    Annotation 2020-05-29 044818.png

    I was able to read .json file and it mention something called passenger.

    When i was setting up this server i followed a guide "The Perfect Server - Debian 9 (Stretch) with Apache, BIND, Dovecot, PureFTPD and ISPConfig 3.1"

    I don't remember i ever installed or setup something like this on the server. Looking at google i found this and few other info.

    So should i be concerned about having something i shouldn't have on my server or this is something that comes installed at some point alongside apache or ispconfig and needed for proper functionality of the server?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    While passenger in general is a normal service, running a passenger server is not part of a normal ISPConfig system. But it might belong to other software you installed. Which Linux user owns the folder /tmp/systemd-private-1d38464aaf6145b2aa0544ebf14e188c-apache2.service-W4xLnU ?
     
  3. lonerunner

    lonerunner Member

    The folder is owned by "root" i didn't install any other software outside the guide i followed so i don't think it should be installed if it's not part of ISPConfig system. The only thing installed is DigitalOcean Monitoring but i doubt they will install this into the apache service.

    I took a risk and uninstalled it. Something else suspicious is that although i disabled the user with hacked website, in processes i can still see it running something like this

    Code:
    perl /tmp/emu
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Kill the process and check the crontab of that user with:

    crontab -u username -e

    if they added a cronjob. Replace username with the user that runs that Perl process.
     
  5. lonerunner

    lonerunner Member

    You are correct, i checked and there is a crontab created indeed. It cannot run anymore as i deleted the user and uninstalled passenger but i can't understand how this much breach has been made, i thought it's more secure.
    Code:
    */12 * * * * perl /var/tmp/tyLaisGEh >/dev/null 2>&1
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    There is no actual breach of your server, it's just a breach of the cms and the user which runs that site is running a few processes, that's all. Probably caused by a vulnerable Wordpress plugin. The passenger process is probably not related to this issue at all, you just stumbled on it as you checked the server. If the security of the server would not be good, then all other sites would be affected, but ISPConfig separates sites by running each under a different user, that's why other parts and websites of the server were not affected by the whole issue.
     
    lonerunner likes this.
  7. lonerunner

    lonerunner Member

    This is not ISPConfig related but more of a hosting question related. Shouldn't be forbidden to users to be able to run cronjobs like this or to install any modules / make config changes. The hacked website was used to redirect to some phishing link and send tons of spam emails. Since i killed the user, and uninstalled passenger it stopped with the emails. Before removing it, i followed the guide and the passenger config file was created 27th which is about time when website got hacked. This would mean that the hacker somehow got the access further into the server?
     
  8. lonerunner

    lonerunner Member

    Update, i just setup a new vps out of curiosity and followed this guide https://www.howtoforge.com/tutorial...-stretch-apache-bind-dovecot-ispconfig-3-1/3/ somewhere along the guide something installs Phusion_Passenger as when i checked after the setup everything from the guide there was phusion_passenger installed. You are correct about not being installed by hacker and i don't need to worry about that. But something installs it from the guide.
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Might be that it's a dependency from one of the components then, so nothing to worry about.
     
  10. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    On Debian GNU/Linux you can find out what package passenger is a reverse dependency of. In other words, which package or packages caused the installation of passenger.
    Code:
    # apt-cache rdepends --installed passenger
    passenger
    Reverse Depends:
      libapache2-mod-passenger
     

Share This Page