The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ksofirqdcon

Discussion in 'General Discussion' started by nshreders, Aug 8, 2007.

  1. nshreders

    nshreders Member
    PartnerNOC

    Joined:
    May 9, 2007
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    chicago, IL
    I noticed this process running as nobody. Running /usr/sbin/lsof -p <pid> showed that it is a perl script writing to /home/domlogs/*/*log.

    Interestingly enough googling ksofirqdcon yielded nothing. Is it safe to assume this is a backend cPanel process writing to all domlogs?
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    No, it's not safe to assume that. The fact that it contains the characters ircd and is owned by nobody suggests to me that it's an IRC daemon exploit running on the server through a compromised PHP script.
     
  3. Factorhost

    Factorhost Member

    Joined:
    Sep 24, 2006
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1

Share This Page