The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Apache ( nobody ) Command and server load > 25

Discussion in 'EasyApache' started by ezztro, Dec 22, 2004.

  1. ezztro

    ezztro Well-Known Member

    Joined:
    Nov 11, 2003
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    16
    Hi,

    since last night, a have 50 - 100 nobody Pids running with this command:

    sh - c chmod 0777 /home/username/public_html/

    what is apache 24/7 doing with chmod 0777 ?
     
  2. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    That looks suspicious to me mate, i'd have a qualified system admin take a look at the box ASAP and make sure its not compromised. Hope you have backups.
     
  3. ezztro

    ezztro Well-Known Member

    Joined:
    Nov 11, 2003
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    16
    Hm,

    i think its OSCommerce with Image Cache.

    The Command sh -c chmod 0777 is using the OSC Path of this cPanel account...
     
  4. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    Why would it need to modify the public_html folder to 777 ? I don't understand, i've never seen that sort of functionality in OSC unless its new ?

    The reason i said its sus is because its chmoding the public_html folder from what you said. Which just sort of rings out as a possible mass defacement program of some kind.. We don't the access to your server so, i can't say for sure.
     
  5. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    Are you saying that its origonating from the oscommerce install ? If so, is the oscommerce out of date or have any known vulnerabilites? It could be someone trying to bugger with your system via a vuln.
     
Loading...

Share This Page