silentcircuit

Active Member
Nov 19, 2002
40
0
156
I kept my ssh window open today when I left to do something and when I came back there were about 20 of these broadcase messages.

"Broadcast Message from [email protected]
(no tty) at 0:05 EDT...

your box is owned via httpd. it was being used to attack servers. httpd is bein
killed via crontab. please secure your machine "

Anyone know what the problem here is and what I can do about this?

THanks so much.
 

Website Rob

Well-Known Member
Mar 23, 2002
1,504
1
318
Alberta, Canada
cPanel Access Level
Root Administrator
Sounds like a msg. from a Tech at your DC. Contact them to make sure, although, they should have sent you an eMail msg. as well, if it was the DC.
 

silentcircuit

Active Member
Nov 19, 2002
40
0
156
gonna ask my colo to see if it is an auto message from a router or what, I dont know what it is but it is definately worrysome
 

silentcircuit

Active Member
Nov 19, 2002
40
0
156
the wierd part is that the server is running completely fine. I dont know notice anything wrong other than this crappy broadcast. What would be the best way to check for someone running a script like this?

I reinstalled apache and am still getting this message.

I also checked the cronjobs and there is nothing out of the ordinary default cronjobs in there. No clue what is goin on.
 
Last edited:

silentcircuit

Active Member
Nov 19, 2002
40
0
156
no I havent, I basically use a modified version of the default cpanel install. What would you reccomend using?
 

kris1351

Well-Known Member
Apr 18, 2003
963
0
166
Lewisville, Tx
Go to http://www.rfxnetworks.com and download APF. There are many guides here on which ports to leave open and how to configure it. He has a list on his forums also.

Go to http://www.chkrootkit.org and download that to your server. Run tar xfvz chkrootkit-xxx.tar.gz then cd to chkrootkitxxx. Do make sense then ./chkrootkit. It will tell you which rootkit you have installed. Someone has broken into your server and they are being nice at this point. You need to get the kit out if possible and get a firewall installed asap.