what is /usr/bin/perl -w hnc.cgi

**moinkhan31** · 12-05-2008 08:39 AM

Hello,

When i was running top -cd2 command following scripts are taking high cup uses on server. But when we are go home directory we didn't find any thing.

24489 "User Name" 20 0 6732 5084 1164 S 8.0 0.2 11:00.69 /usr/bin/perl -w hnc.cgi
26456 "User Name" 20 0 6876 5080 1164 S 8.0 0.2 7:23.47 /usr/bin/perl -w hnc.cgi
32569 "User Name" 20 0 6748 5056 1164 S 7.5 0.2 8:57.30 /usr/bin/perl -w hnc.cgi

Could you please update us why this script are running under some particular users and what the application of this script.

**rhenderson** · 12-05-2008 10:47 AM

SSH
locate hnc.cgi
and check it out!!

Looks like it is a r57 shell hack, your server might be compromised.
Google "/cgi-bin/hnc.cgi" (leave the quotes in the search) you will see what I mean.

**moinkhan31** · 12-05-2008 11:15 AM

Hello,

I know how to locate this file, but i want what application of this script.

**jpetersen** · 12-05-2008 11:48 AM

Search these forums for: hnc.cgi

and check my posts in the thread titled: Malicious Script hnc.cgi ?

**rhenderson** · 12-05-2008 12:10 PM

Originally Posted by moinkhan31

Hello,

I know how to locate this file, but i want what application of this script.

The application is a hacker file for spamming other systems, get rid of it before you get blacklisted!!

**rhenderson** · 12-05-2008 12:10 PM

Originally Posted by jpetersen

Search these forums for: hnc.cgi

and check my posts in the thread titled: Malicious Script hnc.cgi ?

Good post, gave you a reputation for that!!

**stdout** · 12-05-2008 09:06 PM

Originally Posted by moinkhan31

Hello,

When i was running top -cd2 command following scripts are taking high cup uses on server. But when we are go home directory we didn't find any thing.

24489 "User Name" 20 0 6732 5084 1164 S 8.0 0.2 11:00.69 /usr/bin/perl -w hnc.cgi
26456 "User Name" 20 0 6876 5080 1164 S 8.0 0.2 7:23.47 /usr/bin/perl -w hnc.cgi
32569 "User Name" 20 0 6748 5056 1164 S 7.5 0.2 8:57.30 /usr/bin/perl -w hnc.cgi

Could you please update us why this script are running under some particular users and what the application of this script.

If you spot this type of behaviour again, what I suggest doing is checking out the process' environmental variables.
eg. cat /proc/24489/environ | tr "\00" "\n"

You are interested in the PWD section. This is how you can track it most malicious processes.

**rhenderson** · 12-05-2008 09:15 PM

Originally Posted by stdout

If you spot this type of behaviour again, what I suggest doing is checking out the process' environmental variables.
eg. cat /proc/24489/environ | tr "\00" "\n"

You are interested in the PWD section. This is how you can track it most malicious processes.

Very nice I learn something in here everyday

**stdout** · 12-06-2008 04:29 AM

Originally Posted by rhenderson

Very nice I learn something in here everyday

Glad you liked it. It's a useful way to track processes which are being sneaky -
spoofed process name, ect.

**moinkhan31** · 12-06-2008 09:13 AM

Hello,

Its really nice.

Thank you

LinkBack

Thread Tools

what is /usr/bin/perl -w hnc.cgi

What is the correct permission to /usr/bin/perl ?

what is /usr/bin/perl -w hnc.cgi

Re:How to go to /usr/bin/perl

constant high load with this - /usr/bin/md5sum /usr/bin/[ /usr/bin/411toppm /usr/bin/

cgi-bin vs. scgi-bin vs. perl