The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

/dev/shm lol hack attempt

Discussion in 'cPanel Developers' started by atsmark, May 27, 2005.

  1. atsmark

    atsmark Member

    Joined:
    Mar 31, 2005
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Just to put it on record, my cPanel server had some sort of exploit uploaded and run this morning. It put a file called scan.tar.gz in /dev/shm and extracted it. A handful of files were extracted including executable files named "error", "scan", "ss", "x", and "lol". I noticed a lot of the lol processes running which is how I caught it. It appears to me that it was designed to run in the background and try to guess the root password by brute force, but I am not certain.

    I killed the processes, moved the files to a quarantine area and set their permissions to 000, unmounted /dev/shm, and remounted it with the noexec and nosuid options. I'm not sure how to find which script they used to upload that file.

    Any suggestions on how I can further protect myself from this would be much appreciated!

    Thanks,

    Mark
     
  2. Yojek

    Yojek Active Member

    Joined:
    Apr 4, 2004
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Ashdod, Israel
    they ubload the file from phpbb forum or from other system
    just block : phpinfo, block the option to users run processes from their web sites
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    As Yan said, it's most likely a vulnerable php script, the current one most likely is phpBB. You should use the WHM > Addon Module > Addon Script Manager and check your server for old versions and make sure they're all upgraded to v2.0.15
     
  4. Yojek

    Yojek Active Member

    Joined:
    Apr 4, 2004
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Ashdod, Israel
    what is the version of php that you use?
     
Loading...

Share This Page