Casper

Member
Mar 31, 2003
23
0
151
Hi all,

I've just upgraded to WHM 10.8.0 cPanel 10.9.0-S58, since upgraded I noticed that I'm getting system emails that "/bin/sh: line 0: kill: (26886) - No such process" with subject title "chown root:root /tmp/py2 && chmod 4755 /tmp/py2 && rm -rf /etc/cron.d/core && kill -USR1 26886" and a seperate email that said no such directory /tmp/py2 by the minute.

Anyone have any idea what is running since the upgrade that is causing the two emails or know of a fix?

Regards,

Joe
 
Last edited:

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,465
30
473
Go on, have a guess
That's a root exploit attempt and you could have had a root exploit installed on your server. See if you have a file called /etc/cron.d/core, if you do then you've almost definitely been compromised. You should also try searching for rootkits using rkhunter and chkrootkit. If you have been compromised, then you're looking at having the server wiped and a clean OS installed.
 

Casper

Member
Mar 31, 2003
23
0
151
Hi Jonathan,

Thanks for the reply. No /etc/cron.d/core found on the system, plus I do run chkrootkit off cron daily and bfd. This only happened since the upgrade of cpanel, everything else seem ok prior of that. Any idea where can i get rkhunter or any other ideas?

Regards,

Joe
 

Casper

Member
Mar 31, 2003
23
0
151
Hi Chirpy,

Thanks for the info. Think a rebuild will be required, definitely an intrusion to the system after investigating several other changes on the server.

Thanks for the help and info.

Cheers,

Joe