The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

/dev/shm lol hack attempt

Discussion in 'cPanel Developers' started by atsmark, May 27, 2005.

  1. atsmark

    atsmark Member

    Joined:
    Mar 31, 2005
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    151
    Just to put it on record, my cPanel server had some sort of exploit uploaded and run this morning. It put a file called scan.tar.gz in /dev/shm and extracted it. A handful of files were extracted including executable files named "error", "scan", "ss", "x", and "lol". I noticed a lot of the lol processes running which is how I caught it. It appears to me that it was designed to run in the background and try to guess the root password by brute force, but I am not certain.

    I killed the processes, moved the files to a quarantine area and set their permissions to 000, unmounted /dev/shm, and remounted it with the noexec and nosuid options. I'm not sure how to find which script they used to upload that file.

    Any suggestions on how I can further protect myself from this would be much appreciated!

    Thanks,

    Mark
     
    #1 atsmark, May 27, 2005
  2. Yojek

    Yojek Active Member

    Joined:
    Apr 4, 2004
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Ashdod, Israel
    they ubload the file from phpbb forum or from other system
    just block : phpinfo, block the option to users run processes from their web sites
     
    #2 Yojek, May 27, 2005
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,472
    Likes Received:
    20
    Trophy Points:
    463
    Location:
    Go on, have a guess
    As Yan said, it's most likely a vulnerable php script, the current one most likely is phpBB. You should use the WHM > Addon Module > Addon Script Manager and check your server for old versions and make sure they're all upgraded to v2.0.15
     
    #3 chirpy, May 27, 2005
  4. Yojek

    Yojek Active Member

    Joined:
    Apr 4, 2004
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Ashdod, Israel
    what is the version of php that you use?
     
    #4 Yojek, May 27, 2005
(You must log in or sign up to post here.)
Loading...
Similar Threads - hack attempt
  1. kalexanakis

    Server hacked using pam_fprintd.so?

    kalexanakis, Jun 7, 2017, in forum: Security
    Replies:
    8
    Views:
    256
    Jcats
    Jun 23, 2017
  2. Motamedi

    Increase security to prevent hacking?

    Motamedi, May 5, 2017, in forum: Security
    Replies:
    1
    Views:
    195
    cPanelMichael
    May 5, 2017
  3. Vladimir Šebez

    Possible mysql root password hacked

    Vladimir Šebez, Nov 15, 2016, in forum: Security
    Replies:
    6
    Views:
    502
    cPanelMichael
    Nov 18, 2016
  4. Tatchan

    Ayuda! Me han hackeado varias cuentas

    Tatchan, Sep 27, 2016, in forum: Discusión en Español
    Replies:
    1
    Views:
    333
    cPanelMichael
    Oct 5, 2016
  5. ruzbehraja

    Standard Operating Procedure for dealing with email abuse or hacked email accounts

    ruzbehraja, Aug 23, 2016, in forum: E-mail Discussions
    Replies:
    1
    Views:
    402
    cPanelMichael
    Aug 24, 2016

Share This Page