chown /tmp/py2 ??

[Casper]

Hi all,

I've just upgraded to WHM 10.8.0 cPanel 10.9.0-S58, since upgraded I noticed that I'm getting system emails that "/bin/sh: line 0: kill: (26886) - No such process" with subject title "chown root:root /tmp/py2 && chmod 4755 /tmp/py2 && rm -rf /etc/cron.d/core && kill -USR1 26886" and a seperate email that said no such directory /tmp/py2 by the minute.

Anyone have any idea what is running since the upgrade that is causing the two emails or know of a fix?

Regards,

Joe

 

[chirpy]

That's a root exploit attempt and you could have had a root exploit installed on your server. See if you have a file called /etc/cron.d/core, if you do then you've almost definitely been compromised. You should also try searching for rootkits using rkhunter and chkrootkit. If you have been compromised, then you're looking at having the server wiped and a clean OS installed.

 

[Casper]

Hi Jonathan,

Thanks for the reply. No /etc/cron.d/core found on the system, plus I do run chkrootkit off cron daily and bfd. This only happened since the upgrade of cpanel, everything else seem ok prior of that. Any idea where can i get rkhunter or any other ideas?

Regards,

Joe

 

[chirpy]

rkhunter is here:
http://rkhunter.sourceforge.net/

 

[Casper]

Hi Chirpy,

Thanks for the info. Think a rebuild will be required, definitely an intrusion to the system after investigating several other changes on the server.

Thanks for the help and info.

Cheers,

Joe