Hello,
1) Are the following files, part of cpanel? If so, please specify the package they belong to
I am fixing someone's hacked dedicated web-host server, which has RHEL 2.4.21-40.EL and cpanel. chkrootkit doesn't help. Gives 'all ok' status. I'm searching for 'what got exploited on the server'.
WHM 10.8.0 cPanel 10.8.2-R83
RedHat Enterprise 3 i686 - WHM X v3.1.0
; ===========================================================
[email protected] [~]# find / -name "*.pxp"
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.8.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.1.1.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.2.2.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.6.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.10.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.2.1.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.4.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.2.0.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.3.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.1.0.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.7.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.5.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.1.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.1.2.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.2.3.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.2.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.9.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.0.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.11.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.2.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.1.1.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.1.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.11.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.1.0.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.2.0.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.0.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.2.2.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.9.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.2.1.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.2.ts.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.8.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.0.6.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.3.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.10.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.ts.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.6.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.1.2.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.4.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.5.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.2.3.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.7.pxp
; ======================================================
2) I have folder: installd under;
- /root
- /home
Are both copies valid or is one out of date/stale/bad?
; ======================================================
3) The datacenter staff points out that it 'might' be a vulnerability in php. Has any such event occured on any other server? I have php 4.3.11 here.
Running /scripts/upcp hasn't helped upgrading php. I get 'php version is up to date'.
Need to know of similar scenarios' to tackle this problem.
Need help!
1) Are the following files, part of cpanel? If so, please specify the package they belong to
I am fixing someone's hacked dedicated web-host server, which has RHEL 2.4.21-40.EL and cpanel. chkrootkit doesn't help. Gives 'all ok' status. I'm searching for 'what got exploited on the server'.
WHM 10.8.0 cPanel 10.8.2-R83
RedHat Enterprise 3 i686 - WHM X v3.1.0
; ===========================================================
[email protected] [~]# find / -name "*.pxp"
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.8.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.1.1.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.2.2.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.6.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.10.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.2.1.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.4.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.2.0.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.3.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.1.0.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.7.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.5.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.1.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.1.2.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.2.3.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.2.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.9.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.0.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.11.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.2.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.1.1.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.1.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.11.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.1.0.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.2.0.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.0.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.2.2.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.9.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.2.1.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.2.ts.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.8.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.0.6.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.3.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.10.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.ts.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.6.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.1.2.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.4.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.5.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.2.3.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.7.pxp
; ======================================================
2) I have folder: installd under;
- /root
- /home
Are both copies valid or is one out of date/stale/bad?
; ======================================================
3) The datacenter staff points out that it 'might' be a vulnerability in php. Has any such event occured on any other server? I have php 4.3.11 here.
Running /scripts/upcp hasn't helped upgrading php. I get 'php version is up to date'.
Need to know of similar scenarios' to tackle this problem.
Need help!