suspicious files in /tmp hack ?

[erik@delphi]

hi folks,

In my server's /tmp directory i found three suspicious files with verry weird names.

vb5une5x
vbEHwo3v
vbiQi8Ze

I whas verry suspicious about them and run the nobody_check security tool from webhostgear.com and it reported this

DETECTION: Process 3878 with name entropychat and path /usr/bin/perl.#prelink#

And WHM whas complaining to me i should disable compilers.I am 99% sure i did that as i use csf provided by chirpy here.So the question is

• who enabled compilers ?
• who started that mailicious process ?

so far i killed that process and entropychat is disabled.My server is also cronned to run the nobody_check tool every 5 minutes.It is not a root comprimize otherwise the damage would been much larger can't find anything about entropychat in my logs either

some advice will be appriciated

[serversphere]

It is not a root comprimize otherwise the damage would been much larger

It's never good to assume you weren't rooted. Especially if compilers were active after you de-activated them and you didn't do it. That throws up a red flag for me.

Run RKhunter and Chkrootkit to see if they find anything. Grab a port and/or process monitor (check out rfxnetworks.com) to make sure nothing is opening ports or running without you knowing about it. Use nmap and netstat to check over ports as well, make sure no one has a back door open. Grep your logs to see if you can see a point of entry or anything else that might indicate they have root. Watch for high load periods, you could install a load monitoring script as well that reports what's driving up load.

Hope that helps!

[katmai]

vb5une5x
vbEHwo3v
vbiQi8Ze

usually are temporary php files. entropychat should be disabled. dunno why cpanel doesnt pull it out.

you're not hacked.

[serversphere]

vb5une5x
vbEHwo3v
vbiQi8Ze

usually are temporary php files. entropychat should be disabled. dunno why cpanel doesnt pull it out.

you're not hacked.

Thought OP said entropy had already been disabled, and the compilers suddenly being wr again is puzzling. If this is the case, still throws up red flags in my mind and I would still run the scans to be certain. Never hurts to be cautious.

[erik@delphi]

It's never good to assume you weren't rooted. Especially if compilers were active after you de-activated them and you didn't do it. That throws up a red flag for me.

Run RKhunter and Chkrootkit to see if they find anything. Grab a port and/or process monitor (check out rfxnetworks.com) to make sure nothing is opening ports or running without you knowing about it. Use nmap and netstat to check over ports as well, make sure no one has a back door open. Grep your logs to see if you can see a point of entry or anything else that might indicate they have root. Watch for high load periods, you could install a load monitoring script as well that reports what's driving up load.

Hope that helps!

yes i did compilers are not active this happend after i got notified about the new csf release (i am subscrided to there blog)and upgraded that's when things got suspicious it seems to be all normal again after i killed the process .I do have rkhunter and ChkRootKit but they didn't find anything.Open ports do not show me anything suspicious but i'm still watching .....

thanks folks for the help ....