The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Got something in my /dev/shm

Discussion in 'General Discussion' started by jameshsi, Jul 21, 2006.

  1. jameshsi

    jameshsi Well-Known Member

    Joined:
    Oct 22, 2001
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    Hi!
    A few days ago, I found my server had been hack, it was caused by phpbb, although I fix the hold in phpbb, but I still have these in my /dev/shm :

    drwxrwxrwt 4 root root 80 Mar 24 01:36 ./
    drwxr-xr-x 22 root root 118784 Oct 9 2005 ../
    drwxr-xr-x 3 nobody nobody 60 May 2 08:12 .b/
    drwxr-xr-x 7 nobody nobody 360 Mar 17 14:19 .dat/

    in .b :
    drwxr-xr-x 3 nobody nobody 60 May 2 08:12 ./
    drwxrwxrwt 4 root root 80 Mar 24 01:36 ../
    drwx------ 3 nobody nobody 280 May 2 08:12 emech/

    in .dat :
    drwxr-xr-x 7 nobody nobody 360 Mar 17 14:19 ./
    drwxrwxrwt 4 root root 80 Mar 24 01:36 ../
    -rwxr-xr-x 1 nobody nobody 247 Nov 13 2003 config*
    -rw------- 1 nobody nobody 929 May 7 2002 config.h
    -rwxr-xr-x 1 nobody nobody 341 Nov 13 2003 *****
    drwxr-xr-x 2 nobody nobody 1660 Nov 9 2002 help/
    -rwxr-xr-x 1 nobody nobody 202544 Nov 9 2002 httpd*
    drwxr-xr-x 2 nobody nobody 80 Nov 9 2002 lang/
    drwxr-xr-x 2 nobody nobody 80 Mar 16 18:44 log/
    drwxr-xr-x 2 nobody nobody 60 Jul 18 2000 motd/
    -rwxr-xr-x 1 nobody nobody 14306 Nov 13 2003 proc*
    -rw-r--r-- 1 nobody nobody 77 Nov 9 2002 psybnc.conf
    -rw------- 1 nobody nobody 6 Mar 16 18:44 psybnc.pid
    -rwxr-xr-x 1 nobody nobody 64 Nov 13 2003 run*
    drwxr-xr-x 3 nobody nobody 100 Nov 13 2003 scripts/
    -rw------- 1 nobody nobody 139 Mar 17 14:19 ssstt
    -rw------- 1 nobody nobody 139 Mar 17 14:19 ssstt.old
    -rwxr--r-- 1 nobody nobody 21516 Sep 26 2002 xh*

    I know these files should all be removed ASAP, but I want to know something:

    1. Just delete them , right ?
    2. Anything else should I check after remove these files ?

    James
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yes, you should delete them. If you've found how they got in and closed the hole, that's good.

    Lastly, you should ensure that you don't have any exploit processing using those files with:

    lsof | grep /dev/shm
     
  3. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Yeah its nothing, delete the files and make sure to run nobody check to see that the processes are clean.
     
  4. LiNUxG0d

    LiNUxG0d Well-Known Member

    Joined:
    Jun 25, 2003
    Messages:
    206
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gatineau, Quebec, Canada
    Hi there,

    Errr... for you to say "Yeah its nothing, delete the files and make sure to run nobody check to see that the processes are clean." is REALLY an understatement.

    If you have an insecure script on your server and someone says, "It's nothing." believe me, they're wrong.

    An insecure script got my server connected to IRC and serving DVD movies. I cleared out 4.5 GIGS of em just today. I don't want to get you paranoid though, just off of cloud 9.

    Just be forwarned, removing them will only delay the inevitable; finding and securing your scripts will fix the problem. If this happened once, it'll probably happen again unless the hole is fixed/patched.

    PM me if you need assistance finding the hole that needs securing.

    Regards,

    Jamie
     
  5. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Having a script like this uploaded to a server is a common occurance. Make sure your scripts are updated (good luck if you have clients) and use mod_security to help. Yeah its nothing - meaning this attack is very common and see very often.
     
Loading...

Share This Page