Are these part of cpanel/whm?

hariskhan · May 23, 2006

Hello,

1) Are the following files, part of cpanel? If so, please specify the package they belong to

I am fixing someone's hacked dedicated web-host server, which has RHEL 2.4.21-40.EL and cpanel. chkrootkit doesn't help. Gives 'all ok' status. I'm searching for 'what got exploited on the server'.

WHM 10.8.0 cPanel 10.8.2-R83
RedHat Enterprise 3 i686 - WHM X v3.1.0

; ===========================================================

root@ameer [~]# find / -name "*.pxp"
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.8.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.1.1.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.2.2.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.6.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.10.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.2.1.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.4.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.2.0.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.3.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.1.0.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.7.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.5.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.1.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.1.2.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.2.3.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.2.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.9.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.0.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.fre/ixed.fre.4.3.11.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.2.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.1.1.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.1.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.11.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.1.0.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.2.0.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.0.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.2.2.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.9.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.2.1.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.2.ts.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.8.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.0.6.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.3.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.10.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.ts.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.6.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.1.2.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.4.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.5.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.2.3.pxp
/usr/local/cpanel/3rdparty/etc/ixed/ixed.lin/ixed.lin.4.3.7.pxp

; ======================================================

2) I have folder: installd under;

- /root
- /home

Are both copies valid or is one out of date/stale/bad?

; ======================================================

3) The datacenter staff points out that it 'might' be a vulnerability in php. Has any such event occured on any other server? I have php 4.3.11 here.

Running /scripts/upcp hasn't helped upgrading php. I get 'php version is up to date'.

Need to know of similar scenarios' to tackle this problem.

Need help!

webignition · May 23, 2006

hariskhan said:

1) Are the following files, part of cpanel? If so, please specify the package they belong to
Click to expand...

Regarding the .pxp files, I remember having them around since day zero. I have no idea what they are, but I believe they're safe.

hariskhan said:

2) I have folder: installd under;

- /root
- /home
Click to expand...

By this do you mean you have the directories:

/root/installd
/home/installd

If so, I've never heard of them being required by cPanel. What's their permissions and ownership and what's in them?

hariskhan said:

3) The datacenter staff points out that it 'might' be a vulnerability in php. Has any such event occured on any other server? I have php 4.3.11 here.

Running /scripts/upcp hasn't helped upgrading php. I get 'php version is up to date'.
Click to expand...

PHP can be updated via /scripts/easyapache or via WHM >> Software >> Apache Update. Be sure you know what you're doing before recompiling php with either!

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

Are these part of cpanel/whm?

hariskhan Well-Known Member

webignition Well-Known Member

Replacing 3rd-party service SSL cert with a cPanel-signed cert

cPanel not recognizing new partition

SOLVED /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings

SOLVED How old are the Full Backup & Partial Backups in cPanel > Backup

Can you symlink a folder in cpanel to another partition?

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

Are these part of cpanel/whm?

hariskhan Well-Known Member

webignition Well-Known Member

Replacing 3rd-party service SSL cert with a cPanel-signed cert

cPanel not recognizing new partition

SOLVED /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings

SOLVED How old are the Full Backup & Partial Backups in cPanel > Backup

Can you symlink a folder in cpanel to another partition?

Share This Page