Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Folding@Home (fah) - trojan?

Discussion in 'General Discussion' started by metula, Sep 17, 2008.

  1. metula

    metula Member

    Joined:
    Jan 19, 2005
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    151
    Hi - we noticed a script running on our CPanel box this morning called:

    FahCore_a0.exe

    It was decompressed into the /tmp folder and executed by the nobody user.

    There are really only two ways this could happen - i) CPanel executed the program or ii) a user exploited the CPanel server, uploaded, extracted and executed the program.

    I don't like either scenario - does anyone know anything about it?

    Folding@Home appears to be a stanford university project using distributed computing to perform computationally intensive protein folding algorithms...
     
  2. Freezer

    Freezer Well-Known Member

    Joined:
    Jun 13, 2005
    Messages:
    120
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Den Haag
    I think option 2, because i don't see a reason for cPanel to participate in the FAH project.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. rrwh

    rrwh Well-Known Member

    Joined:
    Oct 2, 2004
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    156
    Now a quick guess - someone is trying to use exploited machines - such as yours to run FAH so they can get the best bragging rights for the amount of units processed. Somewhere, there will be a config file that links this to a fah user. If you use that info and go back to the FAH project you will certainly get a lot of info on the person/s responsible.

    You did make a copy of everything didn't you?
     
  4. DigitalN

    DigitalN Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    420
    Likes Received:
    1
    Trophy Points:
    168
    Wrong.. try looking at your customers or your php scripts and update them, the running as 'nobody' gives this away.
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice