Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Got something in my /dev/shm

Discussion in 'General Discussion' started by jameshsi, Jul 21, 2006.

  1. jameshsi

    jameshsi Well-Known Member

    Joined:
    Oct 22, 2001
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    316
    Hi!
    A few days ago, I found my server had been hack, it was caused by phpbb, although I fix the hold in phpbb, but I still have these in my /dev/shm :

    drwxrwxrwt 4 root root 80 Mar 24 01:36 ./
    drwxr-xr-x 22 root root 118784 Oct 9 2005 ../
    drwxr-xr-x 3 nobody nobody 60 May 2 08:12 .b/
    drwxr-xr-x 7 nobody nobody 360 Mar 17 14:19 .dat/

    in .b :
    drwxr-xr-x 3 nobody nobody 60 May 2 08:12 ./
    drwxrwxrwt 4 root root 80 Mar 24 01:36 ../
    drwx------ 3 nobody nobody 280 May 2 08:12 emech/

    in .dat :
    drwxr-xr-x 7 nobody nobody 360 Mar 17 14:19 ./
    drwxrwxrwt 4 root root 80 Mar 24 01:36 ../
    -rwxr-xr-x 1 nobody nobody 247 Nov 13 2003 config*
    -rw------- 1 nobody nobody 929 May 7 2002 config.h
    -rwxr-xr-x 1 nobody nobody 341 Nov 13 2003 *****
    drwxr-xr-x 2 nobody nobody 1660 Nov 9 2002 help/
    -rwxr-xr-x 1 nobody nobody 202544 Nov 9 2002 httpd*
    drwxr-xr-x 2 nobody nobody 80 Nov 9 2002 lang/
    drwxr-xr-x 2 nobody nobody 80 Mar 16 18:44 log/
    drwxr-xr-x 2 nobody nobody 60 Jul 18 2000 motd/
    -rwxr-xr-x 1 nobody nobody 14306 Nov 13 2003 proc*
    -rw-r--r-- 1 nobody nobody 77 Nov 9 2002 psybnc.conf
    -rw------- 1 nobody nobody 6 Mar 16 18:44 psybnc.pid
    -rwxr-xr-x 1 nobody nobody 64 Nov 13 2003 run*
    drwxr-xr-x 3 nobody nobody 100 Nov 13 2003 scripts/
    -rw------- 1 nobody nobody 139 Mar 17 14:19 ssstt
    -rw------- 1 nobody nobody 139 Mar 17 14:19 ssstt.old
    -rwxr--r-- 1 nobody nobody 21516 Sep 26 2002 xh*

    I know these files should all be removed ASAP, but I want to know something:

    1. Just delete them , right ?
    2. Anything else should I check after remove these files ?

    James
     
    #1 jameshsi, Jul 21, 2006
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    Yes, you should delete them. If you've found how they got in and closed the hole, that's good.

    Lastly, you should ensure that you don't have any exploit processing using those files with:

    lsof | grep /dev/shm
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 chirpy, Jul 21, 2006
  3. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    655
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Canada
    Yeah its nothing, delete the files and make sure to run nobody check to see that the processes are clean.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 ramprage, Jul 21, 2006
  4. LiNUxG0d

    LiNUxG0d Well-Known Member

    Joined:
    Jun 25, 2003
    Messages:
    206
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    Gatineau, Quebec, Canada
    Hi there,

    Errr... for you to say "Yeah its nothing, delete the files and make sure to run nobody check to see that the processes are clean." is REALLY an understatement.

    If you have an insecure script on your server and someone says, "It's nothing." believe me, they're wrong.

    An insecure script got my server connected to IRC and serving DVD movies. I cleared out 4.5 GIGS of em just today. I don't want to get you paranoid though, just off of cloud 9.

    Just be forwarned, removing them will only delay the inevitable; finding and securing your scripts will fix the problem. If this happened once, it'll probably happen again unless the hole is fixed/patched.

    PM me if you need assistance finding the hole that needs securing.

    Regards,

    Jamie
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 LiNUxG0d, Jul 26, 2006
  5. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    655
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Canada
    Having a script like this uploaded to a server is a common occurance. Make sure your scripts are updated (good luck if you have clients) and use mod_security to help. Yeah its nothing - meaning this attack is very common and see very often.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #5 ramprage, Jul 27, 2006
(You must log in or sign up to post here.)
Loading...
Similar Threads - something
  1. ItsMattSon

    SOLVED Something went wrong while saving this configuration: Validate class not found from basename

    ItsMattSon, Jan 31, 2018, in forum: General Discussion
    Replies:
    2
    Views:
    998
    cPanelMichael
    Feb 1, 2018
  2. jfall123

    Something has been switching my dedicated IPs to shared lately..

    jfall123, Sep 26, 2017, in forum: General Discussion
    Replies:
    2
    Views:
    292
    jfall123
    Sep 26, 2017
  3. tui

    Email Cluster or something similar

    tui, Sep 4, 2017, in forum: E-mail Discussion
    Replies:
    5
    Views:
    842
    cPanelMichael
    Sep 6, 2017
  4. rinkleton

    Something weird with auto SSLs

    rinkleton, Jul 11, 2017, in forum: Security
    Replies:
    4
    Views:
    421
    cPanelMichael
    Jul 12, 2017
  5. schatzman

    Something very strange with php.ini load setting

    schatzman, Jun 15, 2017, in forum: General Discussion
    Replies:
    4
    Views:
    992
    KarolosW
    Jul 14, 2017

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice