The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Folding@Home (fah) - trojan?

Discussion in 'General Discussion' started by metula, Sep 17, 2008.

  1. metula

    metula Member

    Joined:
    Jan 19, 2005
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Hi - we noticed a script running on our CPanel box this morning called:

    FahCore_a0.exe

    It was decompressed into the /tmp folder and executed by the nobody user.

    There are really only two ways this could happen - i) CPanel executed the program or ii) a user exploited the CPanel server, uploaded, extracted and executed the program.

    I don't like either scenario - does anyone know anything about it?

    Folding@Home appears to be a stanford university project using distributed computing to perform computationally intensive protein folding algorithms...
     
  2. Freezer

    Freezer Well-Known Member

    Joined:
    Jun 13, 2005
    Messages:
    120
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Den Haag
    I think option 2, because i don't see a reason for cPanel to participate in the FAH project.
     
  3. rrwh

    rrwh Well-Known Member

    Joined:
    Oct 2, 2004
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    Now a quick guess - someone is trying to use exploited machines - such as yours to run FAH so they can get the best bragging rights for the amount of units processed. Somewhere, there will be a config file that links this to a fah user. If you use that info and go back to the FAH project you will certainly get a lot of info on the person/s responsible.

    You did make a copy of everything didn't you?
     
  4. DigitalN

    DigitalN Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    420
    Likes Received:
    1
    Trophy Points:
    18
    Wrong.. try looking at your customers or your php scripts and update them, the running as 'nobody' gives this away.
     

Share This Page