/dev/shm lol hack attempt

[atsmark]

Just to put it on record, my cPanel server had some sort of exploit uploaded and run this morning. It put a file called scan.tar.gz in /dev/shm and extracted it. A handful of files were extracted including executable files named "error", "scan", "ss", "x", and "lol". I noticed a lot of the lol processes running which is how I caught it. It appears to me that it was designed to run in the background and try to guess the root password by brute force, but I am not certain.

I killed the processes, moved the files to a quarantine area and set their permissions to 000, unmounted /dev/shm, and remounted it with the noexec and nosuid options. I'm not sure how to find which script they used to upload that file.

Any suggestions on how I can further protect myself from this would be much appreciated!

Thanks,

Mark

 

[Yojek]

they ubload the file from phpbb forum or from other system
just block : phpinfo, block the option to users run processes from their web sites

 

[chirpy]

As Yan said, it's most likely a vulnerable php script, the current one most likely is phpBB. You should use the WHM > Addon Module > Addon Script Manager and check your server for old versions and make sure they're all upgraded to v2.0.15

 

[Yojek]

what is the version of php that you use?