The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

bind and mesh and misc processes

Discussion in 'Bind / DNS / Nameserver Issues' started by acidice333, Mar 5, 2005.

  1. acidice333

    acidice333 Registered

    Nov 7, 2004
    Likes Received:
    Trophy Points:
    So lately I've got a problem..

    Someone seems to be getting into my server and somehow placing a execuable file in my /tmp called `bind`. Here is the detail of the file (note I took away the exec perms)
    -rw-rw-rw- 1 nobody nobody 18712 Jul 30 2004 bind

    They also seem to place a few other files in my /tmp like...
    -rw------- 1 nobody nobody 541 Mar 5 19:36 .bash_history
    -rw-r--r-- 1 nobody nobody 5720 Jan 23 10:54 ft
    -rw-r--r-- 1 nobody nobody 6300 Mar 5 19:15 lista
    -rw-r--r-- 1 nobody nobody 8344 Mar 5 19:20 lista2
    -rw-r--r-- 1 nobody nobody 6183 Mar 5 19:23 index.php

    Here is the contents of the .bash_history file..
    uname -a
    cd /var/tmp
    cd /tmp
    locate httpd.conf
    cd /usr
    ls -a
    cd usr
    ls -a
    cd local
    ls -a
    cd apache
    ls -a
    cd conf
    ls -a
    cat httpd.conf
    cat httpd.conf | grep ServerName > /tmp/lista
    cd /tmp
    cat lista
    cd /usr/local/apache/conf
    cat httpd.conf | grep DocumentRoot > lista2
    cat httpd.conf | grep DocumentRoot > /tmp/lista2
    cd /tmp
    cat lista2
    perl ft -e -l lista -a index.php
    perl ft -e -l lista2 -a index.php
    perl ft -zdp lista2

    Some group called `tuzim` or something like that kept coming onto my server and running processes

    I don't have any `demo` accounts and nobody has shell access except for me and one of my trusted partners.

    Does anybody have any suggestions? I'v'e killled the processes (this time there was only `bind` running. Last time there was `mesh` and some wierd `elf` named process running)
  2. chirpy

    chirpy Well-Known Member

    Jun 15, 2002
    Likes Received:
    Trophy Points:
    Go on, have a guess
    There are plenty of recent threads on how to deal with script compromises. If you don't know how to do this yourself and how to secure your server, you either need to search through the threads on the forum and learn, or hire someone who can do it for you.

Share This Page