The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Emergency

Discussion in 'General Discussion' started by semaj, Jul 11, 2003.

  1. semaj

    semaj Well-Known Member

    Joined:
    Nov 27, 2002
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Please help me get this fixed.
    Bind is not functioning correctly for 12 hours now.
    Below is the error:
    I search here on the forums & tried all the fixes but nothing worked.

    This is a slave server.
    Waiting for bind to restart.... . . . . . . . . . . finished.

    rndc: connect failed: connection refused bind status bind did not return a status report


    bind started ok



    Also. I just checked my server email & I have receieved a lot of these emails:

    Subject: Trojan Horses Detected by (WHM) on root2.urlf.com
    Hidden Pid detected! [pid 1033]
    hidden from ps: [yes]
    binary location: [/dev/rd/s/sendmeil]

    Hidden Pid detected! [pid 6050]
    hidden from ps: [yes]
    binary location: [/bin/bash]


    Subject: Cron <root@root2> /var/log/toplog.sh
    Message:
    /bin/sh: /var/log/toplog.sh: No such file or directory



    Subject: Cron <root@root2> /usr/lib/sa/sa1 1 1
    Message:
    Cannot open /var/log/sa/sa11: No such file or directory

    cPanel.net Support Ticket Number:
     
    #1 semaj, Jul 11, 2003
    Last edited: Jul 11, 2003
  2. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
  3. semaj

    semaj Well-Known Member

    Joined:
    Nov 27, 2002
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Hey Dave.
    I did emailed you this morning, did you get it & what is the fix?
    James

    cPanel.net Support Ticket Number:
     
  4. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    James;

    I guess I'll answer you here instead of the e-mail I was just writing.

    Hate to say it. Reinstall O/S. Or check with your NOC to see if they have any other options.

    This thing had about 6 or 7 shell scripts that got called and did extensive damage to /var/log, /usr/bin, /usr/sbin, etc....

    There are several binaries that are now compromised, for example the who command will no longer list who is on the system. There are also remnant scripts laying all over the system that need to systematically removed.

    cPanel.net Support Ticket Number:
     
  5. semaj

    semaj Well-Known Member

    Joined:
    Nov 27, 2002
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    O.k. I have emailed DN & awaiting there reply.
    What do you recomend in keeping this from happening on other servers.
    Email me with any proposals, also how do you think this happend?
    I got a notice from a customer who said his sites were hacked & he thinks they got in through his blog.
    What do you think
    James

    cPanel.net Support Ticket Number:
     
  6. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    That could possibly be.

    Send me your phone number and we will talk.

    cPanel.net Support Ticket Number:
     

Share This Page