/ftp_scanner on the WHM server, what is it?

postcd · Jun 29, 2014

Hello,

while doing "top -c" command i found processes like these:

438641 root 19 0 97.9m 908 488 R 3.6 0.0 114:05.52 ./ftp_scanner -h .5.0.0 16 -u users -p pass -t 6 -c 20 -o log -d -k -C
438614 root 25 0 129m 944 488 R 3.3 0.0 113:58.00 ./ftp_scanner -h .1.0.0 16 -u users -p pass -t 6 -c 20 -o log -d -k -C
438617 root 21 0 113m 932 488 R 3.3 0.0 114:01.40 ./ftp_scanner -h .2.0.0 16 -u users -p pass -t 6 -c 20 -o log -d -k -C
438618 root 25 0 59256 868 488 R 3.3 0.0 113:47.55 ./ftp_scanner -h .3.0.0 16 -u users -p pass -t 6 -c 20 -o log -d -k -C
438634 root 25 0 105m 916 488 R 3.3 0.0 113:59.92 ./ftp_scanner -h .4.0.0 16 -u users -p pass -t 6 -c 20 -o log -d -k -C
438647 root 22 0 92024 900 488 R 3.3 0.0 113:59.00 ./ftp_scanner -h .6.0.0 16 -u users -p pass -t 6 -c 20 -o log -d -k -C
438652 root 25 0 75640 888 488 R 3.3 0.0 113:53.63 ./ftp_scanner -h .7.0.0 16 -u users -p pass -t 6 -c 20 -o log -d -k -C
438655 root 25 0 67448 880 488 R 3.3 0.0 113:40.89 ./ftp_scanner -h .8.0.0 16 -u users -p pass -t 6 -c 20 -o log -d -k -C
438658 root 25 0 59256 872 488 R 3.3 0.0 113:40.53 ./ftp_scanner -h .9.0.0 16 -u users -p pass -t 6 -c 20 -o log -d -k -C
440352 root 25 0 26488 824 476 R 3.3 0.0 110:12.91 ./ftp_scanner -h 78.23.0.0 16 -u users -p pass -t 6 -c 20 -o log -d -k -C
Click to expand...

please what does it do and why its there, which commands i should do to discover more?

when i cat that file located in /root/fb
i see amongs others:

-u Users file
-p Password file
-o Output file
-v Verbose mode
-C Check RMDIR command
-h Host/s to scan (ex 192.168.0.0/24)
-t Timeout in seconds (default 5)
-c Number of thread (default 20)
-b Store banner in output file
-d Stop bruteforce after a valid user
-s Store strange ftp reply in output file
-k Check SSH and Telnet on host with a valid user

Multi-thread FTP scanner v0.2.5 by Inode <inode@wayreth.eu.org>
Click to expand...

MisterGuru · Jun 30, 2014

I think your server has been hacked and is being used to scan for other compromised servers. that file is looking for default users on the FTP servers it's listing. It's running as root, so the hacker has got you quite hard.

You'll need to run a rootkit scanner on your server, and maybe block outbound FTP connections.

You'll also probably need to check your logs to she when this started, so you can figure out which one of your users has been compromised, and let them know.

You got some work ahead of you!!

cPanelMichael · Jun 30, 2014

Hello

I've moved this thread to the "Security" forum. You may receive more user-feedback here.

Thank you.

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

/ftp_scanner on the WHM server, what is it?

postcd Well-Known Member

MisterGuru Registered

cPanelMichael Forums Analyst
Staff Member

DKIM records when clustered servers use MyDNS

Monitor server going to power state 4?

break receiving mail on your server.

Install MySQL Enterprise on server with MySQL 5.5?

Mail Server Blacklisted

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

/ftp_scanner on the WHM server, what is it?

postcd Well-Known Member

MisterGuru Registered

cPanelMichael Forums Analyst Staff Member

DKIM records when clustered servers use MyDNS

Monitor server going to power state 4?

break receiving mail on your server.

Install MySQL Enterprise on server with MySQL 5.5?

Mail Server Blacklisted

Share This Page

cPanelMichael Forums Analyst
Staff Member