The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

chown /tmp/py2 ??

Discussion in 'General Discussion' started by Casper, Oct 29, 2006.

  1. Casper

    Casper Member

    Joined:
    Mar 31, 2003
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Hi all,

    I've just upgraded to WHM 10.8.0 cPanel 10.9.0-S58, since upgraded I noticed that I'm getting system emails that "/bin/sh: line 0: kill: (26886) - No such process" with subject title "chown root:root /tmp/py2 && chmod 4755 /tmp/py2 && rm -rf /etc/cron.d/core && kill -USR1 26886" and a seperate email that said no such directory /tmp/py2 by the minute.

    Anyone have any idea what is running since the upgrade that is causing the two emails or know of a fix?

    Regards,

    Joe
     
    #1 Casper, Oct 29, 2006
    Last edited: Oct 29, 2006
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That's a root exploit attempt and you could have had a root exploit installed on your server. See if you have a file called /etc/cron.d/core, if you do then you've almost definitely been compromised. You should also try searching for rootkits using rkhunter and chkrootkit. If you have been compromised, then you're looking at having the server wiped and a clean OS installed.
     
  3. Casper

    Casper Member

    Joined:
    Mar 31, 2003
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Hi Jonathan,

    Thanks for the reply. No /etc/cron.d/core found on the system, plus I do run chkrootkit off cron daily and bfd. This only happened since the upgrade of cpanel, everything else seem ok prior of that. Any idea where can i get rkhunter or any other ideas?

    Regards,

    Joe
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
  5. Casper

    Casper Member

    Joined:
    Mar 31, 2003
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Hi Chirpy,

    Thanks for the info. Think a rebuild will be required, definitely an intrusion to the system after investigating several other changes on the server.

    Thanks for the help and info.

    Cheers,

    Joe
     
Loading...

Share This Page