Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

3 servers hacked...

Discussion in 'General Discussion' started by olivier222333, Sep 7, 2004.

  1. olivier222333

    olivier222333 Well-Known Member
    PartnerNOC

    Joined:
    Jul 12, 2004
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    hi
    3 servers in a week....

    top ps, uptime give me:
    ps
    ps: error while loading shared libraries: libproc.so.2.0.13: cannot open shared object file: No such file or directory


    I run a script to see the hidden process and...
    I dont know how to find the problem... (this is the problem on the 3 servers , the same flaw)



    WARNING: file /proc/16193 has no matching PID in ps.
    Process 16193 reports its command line to be '/usr/sbin/mysqld--basedir=/--datadir=/var/lib/mysql--user=mysql--pid-file=/var/lib/mysql/ns32.hosteur.com.pid--skip-locking'.
    WARNING: file /proc/16194 has no matching PID in ps.
    Process 16194 reports its command line to be '/usr/sbin/mysqld--basedir=/--datadir=/var/lib/mysql--user=mysql--pid-file=/var/lib/mysql/ns32.hosteur.com.pid--skip-locking'.
    WARNING: file /proc/16195 has no matching PID in ps.
    Process 16195 reports its command line to be '/usr/sbin/mysqld--basedir=/--datadir=/var/lib/mysql--user=mysql--pid-file=/var/lib/mysql/ns32.hosteur.com.pid--skip-locking'.
    WARNING: file /proc/16196 has no matching PID in ps.
    Process 16196 reports its command line to be '/usr/sbin/mysqld--basedir=/--datadir=/var/lib/mysql--user=mysql--pid-file=/var/lib/mysql/ns32.hosteur.com.pid--skip-locking'.
    WARNING: file /proc/16197 has no matching PID in ps.
    Process 16197 reports its command line to be '/usr/sbin/mysqld--basedir=/--datadir=/var/lib/mysql--user=mysql--pid-file=/var/lib/mysql/ns32.hosteur.com.pid--skip-locking'.
    WARNING: file /proc/16198 has no matching PID in ps.
    Process 16198 reports its command line to be '/usr/sbin/mysqld--basedir=/--datadir=/var/lib/mysql--user=mysql--pid-file=/var/lib/mysql/ns32.hosteur.com.pid--skip-locking'.
    WARNING: file /proc/16199 has no matching PID in ps.
    Process 16199 reports its command line to be '/usr/sbin/mysqld--basedir=/--datadir=/var/lib/mysql--user=mysql--pid-file=/var/lib/mysql/ns32.hosteur.com.pid--skip-locking'.
    WARNING: file /proc/16200 has no matching PID in ps.
    Process 16200 reports its command line to be '/usr/sbin/mysqld--basedir=/--datadir=/var/lib/mysql--user=mysql--pid-file=/var/lib/mysql/ns32.hosteur.com.pid--skip-locking'.
    WARNING: file /proc/16201 has no matching PID in ps.
    Process 16201 reports its command line to be '/usr/sbin/mysqld--basedir=/--datadir=/var/lib/mysql--user=mysql--pid-file=/var/lib/mysql/ns32.hosteur.com.pid--skip-locking'.
    DANGER!!! I found 9 hidden processes.


    I think it s a mysql injection or php... but I m not sure.
    I want to know if anyone has ever seen this problem...and how to fix this?...


    thanks
     
  2. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    166
    If this is Redhat enterprise you have nothign to worry about. It is related to the recent up2date.

    up2date -f procps

    and reboot that should resolve it.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. olivier222333

    olivier222333 Well-Known Member
    PartnerNOC

    Joined:
    Jul 12, 2004
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Yes I have RH EL3


    ah I am happy :)

    I was very upset...
    thanks a lot
     
    #3 olivier222333, Sep 7, 2004
    Last edited: Sep 7, 2004
  4. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    166
    Yeah, I had quite a few clients come to me frantic after running /scripts/upcp.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. olivier222333

    olivier222333 Well-Known Member
    PartnerNOC

    Joined:
    Jul 12, 2004
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    But I have 20 RH 2L3 but I dont understand why not all machines were affected...
    only 3/20
     
  6. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    166
    Well, we had some affected but not all. Guess its bad luck is all. *shrugs*
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. olivier222333

    olivier222333 Well-Known Member
    PartnerNOC

    Joined:
    Jul 12, 2004
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Thank you TLG :)

    I ran Rkhunter too and I saw openssh and opensshl Vulnerable...

    can I up2date too?
    [~]# ssh -V
    OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
     
  8. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    166
    You can ignore that, since redhat backports patches into old versions of software.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice