eggdrop

[gundamz]

10165 (eggdrop) /tmp/.shp/.dat/eggdrop-1.6. /tmp/.shp/.dat
/usr/local/apache/sbin/httpd-DSSL
-m bin.txt

--------------------------------------------------------------------------------
10336 (eggdrop) /tmp/.sho/.dat/eggdrop-1.6. /tmp/.sho/.dat
/usr/local/apache/sbin/httpd-DSSL
-m bin.txt


what are those? am i hack?

In my tmp,

drwxr-xr-x 3 nobody nobody 4096 Apr 21 22:54 .shc/
drwxr-xr-x 3 nobody nobody 4096 Apr 17 19:00 .shh/
drwxr-xr-x 3 nobody nobody 4096 Apr 24 08:37 .sho/
drwxr-xr-x 3 nobody nobody 4096 Apr 24 08:35 .shp/
drwxr-xr-x 3 nobody nobody 4096 Apr 21 22:56 .shw/
drwxr-xr-x 3 nobody nobody 4096 Apr 17 18:55 .ssh/

[nybble]

I am almost willing to bet you use cpanel... so many exploits, I see eggdrops go up all over the place... to be honest I am sorry I use it some times! In most cases (That I know of) they get in threw a demo account.

Most people set them up in /tmp, so.. yeah, you got "0wn3d"

Just remove it and secure your box better.

[SarcNBit]

Originally posted by nybble
I am almost willing to bet you use cpanel...

What gives you that idea?

[nybble]

Cause just about every cpanel box with a public demo ends up with an eggdrop on it...

[SarcNBit]

Oh I thought it was something a little more pedestrian such as the fact that he posted in a cpanel support forum

[gundamz]

I did not enable demo for the server.

And this hacker is able to restart my server.

How he can do so via openssl?

[nybble]

Um... I am no security expert, but A. Are you running cpanel? B. do you have users on this server?

In some cases just being a user and having cpanel access can be a bad thing... anyway, best of luck!

[andyf]

Look at who owns the files - 'nobody'. This means they were created by CGI (if you dont run suexec) or PHP (if you dont run phpsuexec).

Probably some outdated code for which there's a vulnerability been released - PHP forums/bloggers/CMS's are favourites.

Mount your temporary space noexec, make sure you're patched up to the eyeballs and consider other avenues such as open basedir restrictons.

You have not necessarily been "0wn3d" but simple someone has managed to execute code as your apache user 'nobody'. Nevertheless, I'd recommend you at least find the problem code and run chkrootkit for peace of mind.

[gundamz]

I went to execute command to secure my /tmp now.

/scripts/securetmp

[gvard]

Originally posted by goal
Look at who owns the files - 'nobody'. This means they were created by CGI (if you dont run suexec) or PHP (if you dont run phpsuexec).

Hello,

I've enabled suexec through WHM but I can't find how to enable phpsuexec. Any help?

[anand]

Originally posted by gvard
Hello,

I've enabled suexec through WHM but I can't find how to enable phpsuexec. Any help?

You would need to recompile php for that. The best would be either from whm or shell run the apache compile. Earlier php 4.3.7 was released so you could meanwhile compiling update your php to the latest.

In WHM -> Software -> Update Apache

Select all you need and compile away.

If you prefer shell, as root run:

/scripts/easyapache

Select all you need and compile away

If you don't know what to select you could choose the 1-5 options presented by easyapache script. At times they help you to achieve whats required and later learn on what to include or exclude from the compile.