Just to put it on record, my cPanel server had some sort of exploit uploaded and run this morning. It put a file called scan.tar.gz in /dev/shm and extracted it. A handful of files were extracted including executable files named "error", "scan", "ss", "x", and "lol". I noticed a lot of the lol processes running which is how I caught it. It appears to me that it was designed to run in the background and try to guess the root password by brute force, but I am not certain.
I killed the processes, moved the files to a quarantine area and set their permissions to 000, unmounted /dev/shm, and remounted it with the noexec and nosuid options. I'm not sure how to find which script they used to upload that file.
Any suggestions on how I can further protect myself from this would be much appreciated!
Thanks,
Mark
I killed the processes, moved the files to a quarantine area and set their permissions to 000, unmounted /dev/shm, and remounted it with the noexec and nosuid options. I'm not sure how to find which script they used to upload that file.
Any suggestions on how I can further protect myself from this would be much appreciated!
Thanks,
Mark