The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

3 servers hacked...

Discussion in 'General Discussion' started by olivier222333, Sep 7, 2004.

  1. olivier222333

    olivier222333 Well-Known Member
    PartnerNOC

    Joined:
    Jul 12, 2004
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    hi
    3 servers in a week....

    top ps, uptime give me:
    ps
    ps: error while loading shared libraries: libproc.so.2.0.13: cannot open shared object file: No such file or directory


    I run a script to see the hidden process and...
    I dont know how to find the problem... (this is the problem on the 3 servers , the same flaw)



    WARNING: file /proc/16193 has no matching PID in ps.
    Process 16193 reports its command line to be '/usr/sbin/mysqld--basedir=/--datadir=/var/lib/mysql--user=mysql--pid-file=/var/lib/mysql/ns32.hosteur.com.pid--skip-locking'.
    WARNING: file /proc/16194 has no matching PID in ps.
    Process 16194 reports its command line to be '/usr/sbin/mysqld--basedir=/--datadir=/var/lib/mysql--user=mysql--pid-file=/var/lib/mysql/ns32.hosteur.com.pid--skip-locking'.
    WARNING: file /proc/16195 has no matching PID in ps.
    Process 16195 reports its command line to be '/usr/sbin/mysqld--basedir=/--datadir=/var/lib/mysql--user=mysql--pid-file=/var/lib/mysql/ns32.hosteur.com.pid--skip-locking'.
    WARNING: file /proc/16196 has no matching PID in ps.
    Process 16196 reports its command line to be '/usr/sbin/mysqld--basedir=/--datadir=/var/lib/mysql--user=mysql--pid-file=/var/lib/mysql/ns32.hosteur.com.pid--skip-locking'.
    WARNING: file /proc/16197 has no matching PID in ps.
    Process 16197 reports its command line to be '/usr/sbin/mysqld--basedir=/--datadir=/var/lib/mysql--user=mysql--pid-file=/var/lib/mysql/ns32.hosteur.com.pid--skip-locking'.
    WARNING: file /proc/16198 has no matching PID in ps.
    Process 16198 reports its command line to be '/usr/sbin/mysqld--basedir=/--datadir=/var/lib/mysql--user=mysql--pid-file=/var/lib/mysql/ns32.hosteur.com.pid--skip-locking'.
    WARNING: file /proc/16199 has no matching PID in ps.
    Process 16199 reports its command line to be '/usr/sbin/mysqld--basedir=/--datadir=/var/lib/mysql--user=mysql--pid-file=/var/lib/mysql/ns32.hosteur.com.pid--skip-locking'.
    WARNING: file /proc/16200 has no matching PID in ps.
    Process 16200 reports its command line to be '/usr/sbin/mysqld--basedir=/--datadir=/var/lib/mysql--user=mysql--pid-file=/var/lib/mysql/ns32.hosteur.com.pid--skip-locking'.
    WARNING: file /proc/16201 has no matching PID in ps.
    Process 16201 reports its command line to be '/usr/sbin/mysqld--basedir=/--datadir=/var/lib/mysql--user=mysql--pid-file=/var/lib/mysql/ns32.hosteur.com.pid--skip-locking'.
    DANGER!!! I found 9 hidden processes.


    I think it s a mysql injection or php... but I m not sure.
    I want to know if anyone has ever seen this problem...and how to fix this?...


    thanks
     
  2. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    If this is Redhat enterprise you have nothign to worry about. It is related to the recent up2date.

    up2date -f procps

    and reboot that should resolve it.
     
  3. olivier222333

    olivier222333 Well-Known Member
    PartnerNOC

    Joined:
    Jul 12, 2004
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    Yes I have RH EL3


    ah I am happy :)

    I was very upset...
    thanks a lot
     
    #3 olivier222333, Sep 7, 2004
    Last edited: Sep 7, 2004
  4. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    Yeah, I had quite a few clients come to me frantic after running /scripts/upcp.
     
  5. olivier222333

    olivier222333 Well-Known Member
    PartnerNOC

    Joined:
    Jul 12, 2004
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    But I have 20 RH 2L3 but I dont understand why not all machines were affected...
    only 3/20
     
  6. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    Well, we had some affected but not all. Guess its bad luck is all. *shrugs*
     
  7. olivier222333

    olivier222333 Well-Known Member
    PartnerNOC

    Joined:
    Jul 12, 2004
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    Thank you TLG :)

    I ran Rkhunter too and I saw openssh and opensshl Vulnerable...

    can I up2date too?
    [~]# ssh -V
    OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
     
  8. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    You can ignore that, since redhat backports patches into old versions of software.
     
Loading...

Share This Page