Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

/dev/shm lol hack attempt

Discussion in 'cPanel Developers' started by atsmark, May 27, 2005.

  1. atsmark

    atsmark Member

    Joined:
    Mar 31, 2005
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    151
    Just to put it on record, my cPanel server had some sort of exploit uploaded and run this morning. It put a file called scan.tar.gz in /dev/shm and extracted it. A handful of files were extracted including executable files named "error", "scan", "ss", "x", and "lol". I noticed a lot of the lol processes running which is how I caught it. It appears to me that it was designed to run in the background and try to guess the root password by brute force, but I am not certain.

    I killed the processes, moved the files to a quarantine area and set their permissions to 000, unmounted /dev/shm, and remounted it with the noexec and nosuid options. I'm not sure how to find which script they used to upload that file.

    Any suggestions on how I can further protect myself from this would be much appreciated!

    Thanks,

    Mark
     
    #1 atsmark, May 27, 2005
  2. Yojek

    Yojek Active Member

    Joined:
    Apr 4, 2004
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Ashdod, Israel
    they ubload the file from phpbb forum or from other system
    just block : phpinfo, block the option to users run processes from their web sites
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 Yojek, May 27, 2005
  3. chirpy

    chirpy Well-Known Member Verifed Vendor

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    22
    Trophy Points:
    463
    Location:
    Go on, have a guess
    As Yan said, it's most likely a vulnerable php script, the current one most likely is phpBB. You should use the WHM > Addon Module > Addon Script Manager and check your server for old versions and make sure they're all upgraded to v2.0.15
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 chirpy, May 27, 2005
  4. Yojek

    Yojek Active Member

    Joined:
    Apr 4, 2004
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Ashdod, Israel
    what is the version of php that you use?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 Yojek, May 27, 2005
(You must log in or sign up to post here.)
Loading...
Similar Threads - hack attempt
  1. zodiac9797

    cPanel e-mail forwarders hack

    zodiac9797, Apr 12, 2018, in forum: Security
    Replies:
    7
    Views:
    1,741
    cPanelLauren
    Nov 20, 2018
  2. JarekN

    Site keeps on getting hacked - infected files

    JarekN, Mar 15, 2018, in forum: Security
    Replies:
    6
    Views:
    1,626
    cPanelMichael
    Mar 15, 2018
  3. kalexanakis

    Server hacked using pam_fprintd.so?

    kalexanakis, Jun 7, 2017, in forum: Security
    Replies:
    8
    Views:
    1,866
    Jcats
    Jun 23, 2017
  4. Motamedi

    Increase security to prevent hacking?

    Motamedi, May 5, 2017, in forum: Security
    Replies:
    1
    Views:
    864
    cPanelMichael
    May 5, 2017
  5. Ali Saatsaz Yazdi

    Attempt to invoke directory as script error

    Ali Saatsaz Yazdi, Apr 14, 2019, in forum: General Discussion
    Replies:
    5
    Views:
    282
    cPanelLauren
    Apr 16, 2019

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice