The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is this a coincidence??

Discussion in 'Data Protection' started by leftie, Apr 4, 2007.

  1. leftie

    leftie Well-Known Member

    Joined:
    Jan 20, 2007
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    On Sunday i got this email (see after this paragraph) and then every night after that the server has crashed with high cpu and cpsrvd failure which will not restart. Am i right in thinking it is a cron job.Could it be related. Please go easy with me i am only have a basic understanding.
    PS, counter is a username for an account in whm.


    200P Received: from root by xxxxxxxxx with local (Exim 4.63)
    (envelope-from <root@xxxxxxxxx>)
    id 1HY3EA-0000GP-Rt
    for root@xxxxxxxxx; Sun, 01 Apr 2007 18:48:36 +0200
    025* From: root (Cron Daemon)
    047F From: root@xxxxxxxxxx (Cron Daemon)
    009* To: root
    031T To: root@xxxxxxxxxxxx
    190 Subject: Cron <root@host> chown root:root /home/counter/public_html/vwar/upload/17-2 && chmod 4755 /home/counter/public_html/vwar/upload/17-2 && rm -rf /etc/cron.d/core && kill -USR1 12121
    028 X-Cron-Env: <SHELL=/bin/sh>
    080 X-Cron-Env: <PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin>
    025 X-Cron-Env: <HOME=/root>
    027 X-Cron-Env: <LOGNAME=root>
    024 X-Cron-Env: <USER=root>
    054I Message-Id: <E1HY3EA-0000GP-Rt@xxxxxxxxxx>
    038 Date: Sun, 01 Apr 2007 18:48:26 +0200
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That cron is indicative of a popular root compromise on older kernels. It could very well mean that the server has suffered a root compromise. You need to scan the server thoroughly for any other signs of a root compromise and if found, backup your user data, have the OS reinstalled and then restore the user data and secure the server making sure that you're running the latest OS vendor kernel (and that you're using a supported OS).
     
  3. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    You can scan your server with rkhunter and chkrootkit applications. If the results are not good, you'll have to backup your clients' data, do OS reload, and restore your clients' accounts.
     
  4. leftie

    leftie Well-Known Member

    Joined:
    Jan 20, 2007
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    Thank you, how do i run this exactly.
    I have traced the path back to a folder in an account holders forum. It is a hacking forum so i guess they have tried something, any pointers on how to approach this.
    EDIT. my mistake, it is actually a game server /forum but the guy does have a hacking forum too.
     
    #4 leftie, Apr 11, 2007
    Last edited: Apr 11, 2007
  5. david510

    david510 Well-Known Member

    Joined:
    Aug 22, 2004
    Messages:
    473
    Likes Received:
    0
    Trophy Points:
    16
  6. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    18
    I would let chirpys company take care of it ...

    http://www.configserver.com/

    They took care of a similar problem for me

    Actually if you have been rooted you just need to bite the bullet, backup and get a OS reload and then have http://www.configserver.com/ harden the OS for you ...
    Then reload user data

    Doug
     
  7. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    I would be glad to take a look at your server for you and find out where
    your security level really stands and "if" and "what" vulnerabilities exist.

    If your server has been compromised, I'll know about it!

    If you want my help, send me a private message because I don't always
    re-read threads in these forums and might miss your response.
     

Share This Page