Suspicious File Alert

[Fakher]

Hi all,

I have started to receive emails from my server like a week ago about suspicious file running on my server. This is an example email sent to me by CSF.

lfd on Phoenix.offshoredns.net: Suspicious File Alert

Time: Sun Oct 10 14:10:47 2010 +0400
File: /tmp/bds
Reason: Binary executable
Owner: hostingp:hostingp (937:933)
Action: No action taken

Time: Sun Oct 10 15:11:01 2010 +0400
File: /tmp/backs
Reason: Script, starts with #!
Owner: hostingp:hostingp (937:933)
Action: No action taken



Its a trojan i tried to delete it but it comes back again...
what to do?

Please advise....

Regards
Fakher

[dalem]

one of your users has a vulnerable php script

if you are running suphp see what user it ls


ls -l /tmp/bds

[Fakher]

i have terminated the user....
still getting alerts....

File: /tmp/bds
Reason: Binary executable
- Hide quoted text -
Owner: : (937:933)
Action: No action taken

how to remove these things now?

Regards
Fakher

[Fakher]

how to fix this now as the account was removed from the server....

[cPanelTristan]

Hello Fakher,

If you've already removed all files in /tmp that was owned by hostingp, then you might want to see if there are any processes still running for that user on the system:

Code:

ps aux|grep hostingp

Otherwise, run a find for any files and folders still owned by that user, although it would be strange for the user to own anything if they are terminated:

Code:

find / -user hostingp

Please note that a find of this nature is going to take a long time to process.

Please do check the user is actually terminated:

Code:

grep hostingp /etc/passwd
grep hostingp /etc/group