Suspicious Process: entropychat WHM/cPanel

There is a mobile optimized version of this page, view AMP Version.

We bought a new WHM/cPanel server recently and once setup we started getting emails about a suspicious process, this instantly caused panic as you might expect! The suspicious process was apparently called entropychat. Not sure what this was I started searching the internet to try and figure out what it was, where it was and how to remove it. Here is the cPanel email we was receiving:

Time: Fri Oct 9 12:00:15 2015 +0100
PID: 24607 (Parent PID:24607)
Account: nobody
Uptime: 116104 seconds

Executable:
/usr/local/cpanel/3rdparty/perl/514/bin/perl

Command Line (often faked in exploits):
entropychat

Network connections by the process (if any):
tcp: 0.0.0.0:2084 -> 0.0.0.0:0

Files open by the process (if any):

Memory maps by the process (if any):
00400000-00402000 r-xp 00000000 08:03 9179008 /usr/local/cpanel/3rdparty/perl/514/bin/perl
00601000-00602000 rw-p 00001000 08:03 9179008 /usr/local/cpanel/3rdparty/perl/514/bin/perl
00e20000-01030000 rw-p 00000000 00:00 0 [heap]
39eb000000-39eb020000 r-xp 00000000 08:03 68943958 /lib64/ld-2.12.so
39eb21f000-39eb220000 r--p 0001f000 08:03 68943958 /lib64/ld-2.12.so
39eb220000-39eb221000 rw-p 00020000 08:03 68943958 /lib64/ld-2.12.so
39eb221000-39eb222000 rw-p 00000000 00:00 0
39eb800000-39eb98a000 r-xp 00000000 08:03 68944324 /lib64/libc-2.12.so
39eb98a000-39ebb8a000 ---p 0018a000 08:03 68944324 /lib64/libc-2.12.so
39ebb8a000-39ebb8e000 r--p 0018a000 08:03 68944324 /lib64/libc-2.12.so
39ebb8e000-39ebb8f000 rw-p 0018e000 08:03 68944324 /lib64/libc-2.12.so
39ebb8f000-39ebb94000 rw-p 00000000 00:00 0
39ec000000-39ec002000 r-xp 00000000 08:03 68944326 /lib64/libdl-2.12.so
39ec002000-39ec202000 ---p 00002000 08:03 68944326 /lib64/libdl-2.12.so
39ec202000-39ec203000 r--p 00002000 08:03 68944326 /lib64/libdl-2.12.so
39ec203000-39ec204000 rw-p 00003000 08:03 68944326 /lib64/libdl-2.12.so
39ec400000-39ec402000 r-xp 00000000 08:03 68943986 /lib64/libutil-2.12.so
39ec402000-39ec601000 ---p 00002000 08:03 68943986 /lib64/libutil-2.12.so
39ec601000-39ec602000 r--p 00001000 08:03 68943986 /lib64/libutil-2.12.so
39ec602000-39ec603000 rw-p 00002000 08:03 68943986 /lib64/libutil-2.12.so
39ec800000-39ec883000 r-xp 00000000 08:03 68944333 /lib64/libm-2.12.so
39ec883000-39eca82000 ---p 00083000 08:03 68944333 /lib64/libm-2.12.so
39eca82000-39eca83000 r--p 00082000 08:03 68944333 /lib64/libm-2.12.so
39eca83000-39eca84000 rw-p 00083000 08:03 68944333 /lib64/libm-2.12.so
39ed000000-39ed006000 r-xp 00000000 08:03 7865800 /usr/lib64/libgdbm.so.2.0.0
39ed006000-39ed205000 ---p 00006000 08:03 7865800 /usr/lib64/libgdbm.so.2.0.0
39ed205000-39ed206000 rw-p 00005000 08:03 7865800 /usr/lib64/libgdbm.so.2.0.0
39ef000000-39ef002000 r-xp 00000000 08:03 68944327 /lib64/libfreebl3.so
39ef002000-39ef201000 ---p 00002000 08:03 68944327 /lib64/libfreebl3.so
39ef201000-39ef202000 r--p 00001000 08:03 68944327 /lib64/libfreebl3.so
39ef202000-39ef203000 rw-p 00002000 08:03 68944327 /lib64/libfreebl3.so
39ef800000-39ef807000 r-xp 00000000 08:03 68944328 /lib64/libcrypt-2.12.so
39ef807000-39efa07000 ---p 00007000 08:03 68944328 /lib64/libcrypt-2.12.so
39efa07000-39efa08000 r--p 00007000 08:03 68944328 /lib64/libcrypt-2.12.so
39efa08000-39efa09000 rw-p 00008000 08:03 68944328 /lib64/libcrypt-2.12.so
39efa09000-39efa37000 rw-p 00000000 00:00 0
39efc00000-39efc16000 r-xp 00000000 08:03 68944337 /lib64/libnsl-2.12.so
39efc16000-39efe15000 ---p 00016000 08:03 68944337 /lib64/libnsl-2.12.so
39efe15000-39efe16000 r--p 00015000 08:03 68944337 /lib64/libnsl-2.12.so
39efe16000-39efe17000 rw-p 00016000 08:03 68944337 /lib64/libnsl-2.12.so
39efe17000-39efe19000 rw-p 00000000 00:00 0
7f754a011000-7f754a01d000 r-xp 00000000 08:03 68943901 /lib64/libnss_files-2.12.so
7f754a01d000-7f754a21d000 ---p 0000c000 08:03 68943901 /lib64/libnss_files-2.12.so
7f754a21d000-7f754a21e000 r--p 0000c000 08:03 68943901 /lib64/libnss_files-2.12.so
7f754a21e000-7f754a21f000 rw-p 0000d000 08:03 68943901 /lib64/libnss_files-2.12.so
7f754a21f000-7f754a226000 r-xp 00000000 08:03 9179099 /usr/local/cpanel/3rdparty/perl/514/lib64/perl5/cpanel_lib/x86_64-linux-64int/auto/Data/Dumper/Dumper.so
7f754a226000-7f754a426000 ---p 00007000 08:03 9179099 /usr/local/cpanel/3rdparty/perl/514/lib64/perl5/cpanel_lib/x86_64-linux-64int/auto/Data/Dumper/Dumper.so
7f754a426000-7f754a427000 rw-p 00007000 08:03 9179099 /usr/local/cpanel/3rdparty/perl/514/lib64/perl5/cpanel_lib/x86_64-linux-64int/auto/Data/Dumper/Dumper.so
7f754a427000-7f754a42f000 r-xp 00000000 08:03 9179109 /usr/local/cpanel/3rdparty/perl/514/lib64/perl5/cpanel_lib/x86_64-linux-64int/auto/Socket/Socket.so
7f754a42f000-7f754a62e000 ---p 00008000 08:03 9179109 /usr/local/cpanel/3rdparty/perl/514/lib64/perl5/cpanel_lib/x86_64-linux-64int/auto/Socket/Socket.so
7f754a62e000-7f754a630000 rw-p 00007000 08:03 9179109 /usr/local/cpanel/3rdparty/perl/514/lib64/perl5/cpanel_lib/x86_64-linux-64int/auto/Socket/Socket.so
7f754a630000-7f754a635000 rw-p 00000000 00:00 0
7f754a635000-7f754a761000 r-xp 00000000 08:03 9178633 /usr/local/cpanel/3rdparty/perl/514/lib64/perl5/5.14.4/x86_64-linux-64int/CORE/libperl.so
7f754a761000-7f754a961000 ---p 0012c000 08:03 9178633 /usr/local/cpanel/3rdparty/perl/514/lib64/perl5/5.14.4/x86_64-linux-64int/CORE/libperl.so
7f754a961000-7f754a96a000 rw-p 0012c000 08:03 9178633 /usr/local/cpanel/3rdparty/perl/514/lib64/perl5/5.14.4/x86_64-linux-64int/CORE/libperl.so
7f754a96a000-7f754a96c000 rw-p 00000000 00:00 0
7f754a975000-7f754a976000 rw-p 00000000 00:00 0
7ffea6758000-7ffea676d000 rw-p 00000000 00:00 0 [stack]
7ffea677b000-7ffea677c000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]

It turns out entropychat is part of cPanel, and is a piece of software widely known, not for being suspicious but for being very insecure. So naturally I wanted to remove this software as we have no need for it so why take any risks?

Below are instructions on how to remove entropychat, further securing your WHM server.

 

Remove entropychat

You need to login to your WHM panel and in the menu find Service Configuration > Service Manage.

WHM Service Manager

In the Service Manager you will see entropychat, untick any checkboxes.

entropychat in service manager

Restart your WHM server to remove entropychat from the running processes.

 

Author: Dean Williams

I'm a Web Developer, Graphics Designer and Gamer, this is my personal site which provides PHP programming advice, hints and tips


Comments For This Post:

  • Key part to know, the service does not quit straight away and for some reason does not let you kill or stop it. So a reboot of your server will be required.


Leave a Reply: