Folding@Home (fah) - trojan?

**metula** · 09-17-2008 04:26 AM

Hi - we noticed a script running on our CPanel box this morning called:

FahCore_a0.exe

It was decompressed into the /tmp folder and executed by the nobody user.

There are really only two ways this could happen - i) CPanel executed the program or ii) a user exploited the CPanel server, uploaded, extracted and executed the program.

I don't like either scenario - does anyone know anything about it?

Folding@Home appears to be a stanford university project using distributed computing to perform computationally intensive protein folding algorithms...

**Freezer** · 09-17-2008 04:58 AM

I think option 2, because i don't see a reason for cPanel to participate in the FAH project.

**rrwh** · 09-17-2008 08:27 AM

Now a quick guess - someone is trying to use exploited machines - such as yours to run FAH so they can get the best bragging rights for the amount of units processed. Somewhere, there will be a config file that links this to a fah user. If you use that info and go back to the FAH project you will certainly get a lot of info on the person/s responsible.

You did make a copy of everything didn't you?

**DigitalN** · 09-17-2008 02:48 PM

It was decompressed into the /tmp folder and executed by the nobody user.

There are really only two ways this could happen - i) CPanel executed the program or ii) a user exploited the CPanel server, uploaded, extracted and executed the program.

Wrong.. try looking at your customers or your php scripts and update them, the running as 'nobody' gives this away.

LinkBack

Thread Tools

Folding@Home (fah) - trojan?

How to move account from /home/home2 to /home and remove sub-directoy /home2 of /hom

Trojan or what ?

Help With Home Server Home Page

Trojan?