The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Energy Mech

Discussion in 'General Discussion' started by xrserver, Jan 29, 2008.

  1. xrserver

    xrserver Well-Known Member

    Joined:
    Jan 18, 2008
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    Hey,

    I keep finding the Emech files on my server. Emech is an irc bot im not exactly sure how harmful it can be but I keep finding it. The owner of the file is one of my hosting clients but he is not the one adding them. I have found it once in /dev/shm and once in the rvsitebuilder folder i think. How do I stopp this from running?
     
    #1 xrserver, Jan 29, 2008
    Last edited: Jan 29, 2008
  2. bsdjunk

    bsdjunk Member

    Joined:
    Jan 15, 2008
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Looks to me like you have be compromised in some way. Not much you can do except find how they are getting in. The importance of keeping your servers uptodate rather then having 900day uptimes.
     
  3. xrserver

    xrserver Well-Known Member

    Joined:
    Jan 18, 2008
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    well obviously thats what I want to know. Does anybody have any idea how this is happening or how to stop it. I have deleted all copies i could find of it and haven't had problems for now but im sure it will be back.
     
  4. bsdjunk

    bsdjunk Member

    Joined:
    Jan 15, 2008
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    If you would like help on seeing how they are getting in you may contact me personally and I will see how/why they are getting in my email is chris at bsdjunk dot com my rates are decent and cheap.
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,451
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    That could be, but they're getting in thru his account I would assume. I'd start there. That file itself may not be "harmful" but if someone got into your server they're doing more than just uploading a harmless file.
     
  6. bsdjunk

    bsdjunk Member

    Joined:
    Jan 15, 2008
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    An inexperienced user/admin will not find the cause of entry. Chances are this is caused by insecure passwords and or old outdated software. Cpanel does it's job well when it comes to security advisories, but its up to the user to actually implement them. I have offered to help him out using comercial support if he needs/wants it.
     
  7. darren.nolan

    darren.nolan Well-Known Member

    Joined:
    Oct 4, 2007
    Messages:
    259
    Likes Received:
    0
    Trophy Points:
    16
    I would suggest an insecure PHP script would let those files in, well before a username/password hack.

    Get something like CSF - get notified if someone is mucking about with logins to ftp/cpanel/etc. and failing.
     
  8. xrserver

    xrserver Well-Known Member

    Joined:
    Jan 18, 2008
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    I do have csf and I know I wasnt brute forced or that anyone just guessed it. Only 2 people know my root pass including me and I am the only one that ever logs in to work on stuff. I believe I have this issue resolved now though, hasnt been happening anymore.
     
  9. darren.nolan

    darren.nolan Well-Known Member

    Joined:
    Oct 4, 2007
    Messages:
    259
    Likes Received:
    0
    Trophy Points:
    16
    Hence why I believe the file was let in through an insecure PHP script - rather than a direct username/password method. Did the username firstly upload a file, then unzip it? Normally the .zip or .bz file is left on your server. Search your apache logs for that zip name and you should come up with a date/time and what script let the file in.
     

Share This Page