Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Apache ( nobody ) Command and server load > 25

Discussion in 'EasyApache' started by ezztro, Dec 22, 2004.

  1. ezztro

    ezztro Well-Known Member

    Joined:
    Nov 11, 2003
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    166
    Hi,

    since last night, a have 50 - 100 nobody Pids running with this command:

    sh - c chmod 0777 /home/username/public_html/

    what is apache 24/7 doing with chmod 0777 ?
     
  2. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    318
    That looks suspicious to me mate, i'd have a qualified system admin take a look at the box ASAP and make sure its not compromised. Hope you have backups.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. ezztro

    ezztro Well-Known Member

    Joined:
    Nov 11, 2003
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    166
    Hm,

    i think its OSCommerce with Image Cache.

    The Command sh -c chmod 0777 is using the OSC Path of this cPanel account...
     
  4. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    318
    Why would it need to modify the public_html folder to 777 ? I don't understand, i've never seen that sort of functionality in OSC unless its new ?

    The reason i said its sus is because its chmoding the public_html folder from what you said. Which just sort of rings out as a possible mass defacement program of some kind.. We don't the access to your server so, i can't say for sure.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    318
    Are you saying that its origonating from the oscommerce install ? If so, is the oscommerce out of date or have any known vulnerabilites? It could be someone trying to bugger with your system via a vuln.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice