Suspiscious Files & Folders

[joemon]

I could find some strange files & folder in the server at the following location:
/usr/local/lp

$ ls
./ ../ apps/ configs/ etc/ htdocs/ jakarta/ libs/ logs/ rpmver/ scripts/ share/ temp/ tmp/ var/

It contains an virtual host configuration file at following location:

$ cat /usr/local/lp/configs/httpd/vhost.conf

# This VirtualHost serves as an access point for monitoring scripts
# and other things used to ensure the well-being of your server.
#
# Please do not remove this VirtualHost entry unless absolutely necessary.
#
# This configuration file is generated from values stored in the file
# '/usr/local/lp/configs/httpd/prefs.cfg'.
#
# To make changes, edit that file and regenerate the VirtualHost by running
# '/usr/local/lp/apps/http/generatelpvhost'.
#
# To make changes outside of the scope of the configuration provided, edit
# the custom include file - '/usr/local/lp/configs/httpd/custom.conf'.
#
# To disable this VirtualHost, touch the following file, and then
# regenerate the VirtualHost:
# /usr/local/lp/var/disablelpvhost
#
# To prevent automated changes to this VirtualHost, touch the following
# file:
# /usr/local/lp/var/staticlpvhost
#
NameVirtualHost X.X.X.X:80
<VirtualHost X.X.X.X>
ServerName servxxxxx.sn.sourcedns.com
ServerAlias www.servxxxxx.sn.sourcedns.com
ServerAdmin webmaster@sourcedns.com
DocumentRoot /usr/local/lp/htdocs/
CustomLog /usr/local/lp/logs/httpd/servxxxxx.sn.sourcedns.com combined
ScriptAlias /cgi-bin/ /usr/local/lp/htdocs/cgi-bin/
User systuser
Group systuser
</VirtualHost>

It seems that it includes all the apache files except the apache binary. The path to this virtual host file has then been included in the main apache configuration file.

It seems that the attacker has got hold of the server root password. Can I make the server safe by just changing the server root password & then deleting the above files ? Has anyone seen something like this before ? Please let me know a solution to this issue...

[vant]

Hi,

By default in httpd.conf file virutalhost parameters is blank, now if you have created a virtualhost config then take a look at it clearly it might be yours. But if that configuration is not really yours then it is an indication that the server was hacked. Changing the root password may help and deleting that virtualhost config. Additionally, check the services that are running on your machine and take a look at the logs.

Hope this may help you.

[joemon]

Vant.. Thanks for the reply. Anyway I have raised a ticket to cPanel support for investigating more into this.