The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Got something in my /dev/shm

Discussion in 'General Discussion' started by jameshsi, Jul 21, 2006.

  1. jameshsi

    jameshsi Well-Known Member

    Joined:
    Oct 22, 2001
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    316
    Hi!
    A few days ago, I found my server had been hack, it was caused by phpbb, although I fix the hold in phpbb, but I still have these in my /dev/shm :

    drwxrwxrwt 4 root root 80 Mar 24 01:36 ./
    drwxr-xr-x 22 root root 118784 Oct 9 2005 ../
    drwxr-xr-x 3 nobody nobody 60 May 2 08:12 .b/
    drwxr-xr-x 7 nobody nobody 360 Mar 17 14:19 .dat/

    in .b :
    drwxr-xr-x 3 nobody nobody 60 May 2 08:12 ./
    drwxrwxrwt 4 root root 80 Mar 24 01:36 ../
    drwx------ 3 nobody nobody 280 May 2 08:12 emech/

    in .dat :
    drwxr-xr-x 7 nobody nobody 360 Mar 17 14:19 ./
    drwxrwxrwt 4 root root 80 Mar 24 01:36 ../
    -rwxr-xr-x 1 nobody nobody 247 Nov 13 2003 config*
    -rw------- 1 nobody nobody 929 May 7 2002 config.h
    -rwxr-xr-x 1 nobody nobody 341 Nov 13 2003 *****
    drwxr-xr-x 2 nobody nobody 1660 Nov 9 2002 help/
    -rwxr-xr-x 1 nobody nobody 202544 Nov 9 2002 httpd*
    drwxr-xr-x 2 nobody nobody 80 Nov 9 2002 lang/
    drwxr-xr-x 2 nobody nobody 80 Mar 16 18:44 log/
    drwxr-xr-x 2 nobody nobody 60 Jul 18 2000 motd/
    -rwxr-xr-x 1 nobody nobody 14306 Nov 13 2003 proc*
    -rw-r--r-- 1 nobody nobody 77 Nov 9 2002 psybnc.conf
    -rw------- 1 nobody nobody 6 Mar 16 18:44 psybnc.pid
    -rwxr-xr-x 1 nobody nobody 64 Nov 13 2003 run*
    drwxr-xr-x 3 nobody nobody 100 Nov 13 2003 scripts/
    -rw------- 1 nobody nobody 139 Mar 17 14:19 ssstt
    -rw------- 1 nobody nobody 139 Mar 17 14:19 ssstt.old
    -rwxr--r-- 1 nobody nobody 21516 Sep 26 2002 xh*

    I know these files should all be removed ASAP, but I want to know something:

    1. Just delete them , right ?
    2. Anything else should I check after remove these files ?

    James
     
    #1 jameshsi, Jul 21, 2006
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,472
    Likes Received:
    20
    Trophy Points:
    463
    Location:
    Go on, have a guess
    Yes, you should delete them. If you've found how they got in and closed the hole, that's good.

    Lastly, you should ensure that you don't have any exploit processing using those files with:

    lsof | grep /dev/shm
     
    #2 chirpy, Jul 21, 2006
  3. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    655
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Canada
    Yeah its nothing, delete the files and make sure to run nobody check to see that the processes are clean.
     
    #3 ramprage, Jul 21, 2006
  4. LiNUxG0d

    LiNUxG0d Well-Known Member

    Joined:
    Jun 25, 2003
    Messages:
    206
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    Gatineau, Quebec, Canada
    Hi there,

    Errr... for you to say "Yeah its nothing, delete the files and make sure to run nobody check to see that the processes are clean." is REALLY an understatement.

    If you have an insecure script on your server and someone says, "It's nothing." believe me, they're wrong.

    An insecure script got my server connected to IRC and serving DVD movies. I cleared out 4.5 GIGS of em just today. I don't want to get you paranoid though, just off of cloud 9.

    Just be forwarned, removing them will only delay the inevitable; finding and securing your scripts will fix the problem. If this happened once, it'll probably happen again unless the hole is fixed/patched.

    PM me if you need assistance finding the hole that needs securing.

    Regards,

    Jamie
     
    #4 LiNUxG0d, Jul 26, 2006
  5. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    655
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Canada
    Having a script like this uploaded to a server is a common occurance. Make sure your scripts are updated (good luck if you have clients) and use mod_security to help. Yeah its nothing - meaning this attack is very common and see very often.
     
    #5 ramprage, Jul 27, 2006
(You must log in or sign up to post here.)
Loading...
Similar Threads - something
  1. rinkleton

    Something weird with auto SSLs

    rinkleton, Jul 11, 2017, in forum: Security
    Replies:
    4
    Views:
    81
    cPanelMichael
    Jul 12, 2017
  2. schatzman

    Something very strange with php.ini load setting

    schatzman, Jun 15, 2017, in forum: General Discussion
    Replies:
    4
    Views:
    96
    KarolosW
    Jul 14, 2017
  3. DjordjeB

    SOLVED Something kill backup proccess

    DjordjeB, Apr 14, 2017, in forum: Data Protection
    Replies:
    5
    Views:
    215
    Infopro
    Apr 15, 2017
  4. sohlinux

    ignore something being written to apache error log

    sohlinux, Sep 24, 2016, in forum: General Discussion
    Replies:
    3
    Views:
    353
    cPanelMichael
    Oct 5, 2016
  5. denverdataman

    ClamAv Claims Something is a Virus That is Not

    denverdataman, Aug 10, 2016, in forum: Security
    Replies:
    4
    Views:
    653
    Infopro
    Aug 11, 2016

Share This Page