Community Forums
Connect with us on LinkedIn
Strange Files in /var/spool/
  
+ Reply to Thread
Results 1 to 2 of 2
  1. 06-29-2006 01:42 PM #1
    northservers
    northservers is offline
    Registered User
    Join Date
    Jun 2006
    Posts
    1

    Default Strange Files in /var/spool/

    Hi guys,

    On all 6 of our servers (all running cPanel Release tree), somebody last night uploaded some strange files to /var/spool/ named /var/spool/.GGG/ - inside the .GGG folder was a keylogger by the looks of it, and also an output of text (including passwords). This folder was not viewable until a reboot of the server had taken place. This coincided with web sites hosted on the servers being infected with the vbs.psyme trojan which injects malicious JavaScript to the browser.

    Has anyone else seen similar things over the past 48 hours, and if so has the entry point been established?

    TIA

    Steve
    Reply With Quote Reply With Quote
  2. 06-29-2006 04:19 PM #2
    chirpy
    chirpy is offline
    Super Moderator This forum account has been confirmed by cPanel staff to represent a vendor. chirpy's Avatar
    Join Date
    Jun 2002
    Location
    Go on, have a guess
    Posts
    13,495

    Default

    What ownership did the files have? If they're owned by root, then you've clearly suffered a root compromise and would need to restore a clean OS and restore accounts from backup and get the server security locked down. If they're owned by a non-root user it should help you in finding out how the hackers got in.
    Jonathan Michaelson

    Need your cPanel servers secured and tuned?
    cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
    Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
    http://www.configserver.com
    Reply With Quote Reply With Quote
«   Supsend Reseller | runlogsnow PERL broken? »     
Similar Threads & Tags
Similar threads

  1. My /var/log/files are very strange - someone know what is it?
    By IRCBrasil in forum cPanel and WHM Discussions
    Replies: 2
    Last Post: 01-23-2006, 10:34 AM
  2. Filling /var/spool/exim/
    By dolay in forum cPanel and WHM Discussions
    Replies: 5
    Last Post: 04-02-2005, 12:51 PM
  3. malicious files in /var/spool/mail/
    By Ben in forum cPanel and WHM Discussions
    Replies: 0
    Last Post: 02-22-2004, 08:24 PM
  4. Is it normal /var/spool take almost 3 GB?
    By isputra in forum cPanel and WHM Discussions
    Replies: 7
    Last Post: 01-07-2004, 11:54 AM
  5. /var/spool/exim/* filling with files
    By MarkB in forum cPanel and WHM Discussions
    Replies: 4
    Last Post: 08-07-2003, 11:25 AM
Linkedin       Facebook       Twitter       RSS       Flickr       YouTube