LinkBack URL
About LinkBacksYea I want the daily cpanel update off anyway. It ruins Fantastico (not so fantastic after all lol)
Yea I want the daily cpanel update off anyway. It ruins Fantastico (not so fantastic after all lol)
Might consider letting the root cron run and setting the WHM update option to manual updates only. Of course we only run the stable versions which likely puts us in the minority.
You're totally missing the point...Well that user has a small town kiddy baseball team photo site. I know its not him doing anything.
read this again:
I'll spell it out: It doesn't have to be your user running a script... if a script is running as 'nobody' there's a good chance it was 'installed' through a hole in apache (since it runs as the user 'nobody') or from a script with security problems (since apache/perl/php would have run the script and they're usually run under nobody - depends on if you're using suexec/phpsuexec - and so files created by them would be under the user 'nobody'). Cpanel would put the cronjobs that a user added themselves under their username, not nobody.the first one especially (why isn't that script running under the gvllweb user?)... so they could have been installed through an apache exploit or a script with a security hole.
Well, it's good you deleted the nobody cron jobs, (but not the root, I didn't see anything obviously suspicious about that - looked like the usual cpanel stuff, if you had a problem in the root cronjob then your server would be 0wn3d and you'd have much bigger problems), but you really should delete those files (after looking at them to find out what they really do) and then find out how they got in there, find out what insecure script needs to be patched or removed from your server. Otherwise, you're just asking for it to happen again, and maybe next time it'll be much worse... trashing all your data and requiring you to have an OS reload done, accompanied by much downtime.
rkhunter is not an end all, fix all... it's only looking for some specific hack tools. Since it only takes a few lines of code to do some bad things on your server, and since it doesn't take long to write this code and it can be written in a number of different ways, then it's very hard to have a tool that can find and recognize every bad thing as 'bad'.rootkit hunter gave all "ok" results
From the names of those suspicious files, I'd guess you might have some sort of eggdrop or psybounce or something similar running on your server... couldn't guess at why it takes down the server at 2am on sundays though.I am getting tons of emails regarding some eggdrop of some sort
What are these emails you're getting?
Reply With Quote