Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

/dev/shm lol hack attempt

Discussion in 'cPanel Developers' started by atsmark, May 27, 2005.

  1. atsmark

    atsmark Member

    Joined:
    Mar 31, 2005
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    151
    Just to put it on record, my cPanel server had some sort of exploit uploaded and run this morning. It put a file called scan.tar.gz in /dev/shm and extracted it. A handful of files were extracted including executable files named "error", "scan", "ss", "x", and "lol". I noticed a lot of the lol processes running which is how I caught it. It appears to me that it was designed to run in the background and try to guess the root password by brute force, but I am not certain.

    I killed the processes, moved the files to a quarantine area and set their permissions to 000, unmounted /dev/shm, and remounted it with the noexec and nosuid options. I'm not sure how to find which script they used to upload that file.

    Any suggestions on how I can further protect myself from this would be much appreciated!

    Thanks,

    Mark
     
  2. Yojek

    Yojek Active Member

    Joined:
    Apr 4, 2004
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Ashdod, Israel
    they ubload the file from phpbb forum or from other system
    just block : phpinfo, block the option to users run processes from their web sites
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    As Yan said, it's most likely a vulnerable php script, the current one most likely is phpBB. You should use the WHM > Addon Module > Addon Script Manager and check your server for old versions and make sure they're all upgraded to v2.0.15
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. Yojek

    Yojek Active Member

    Joined:
    Apr 4, 2004
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Ashdod, Israel
    what is the version of php that you use?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice