Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

LSM Alert problem

Discussion in 'General Discussion' started by limneos, Jun 24, 2007.

  1. limneos

    limneos Member

    Joined:
    Mar 21, 2004
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    151
    hello to all...
    I've recently asked a reinstall on my server, cause I got chkrooted with Torn8

    before and after that chkrooting happened, I was getting several LSM alerts about httpd new listening ports.

    After the reinstall, the server has been working clear until now. (I have done everything in the sticky thread "A beginner's guide on securing your server")
    However, today I got another LSM alert, saying:

    Code:
    This is an automated alert generated from whatever.domain.I.have. This alert is to
notify the addressed users of new server sockets. New server sockets can
indicate server-software that has been started on your host, or otherwise
be an indication to malicious activity. It is advised to review this alert
and investigate if needed.
 
Following is a summary of new Internet Server Sockets:
> tcp        0      0 0.0.0.0:1330                0.0.0.0:*                   LISTEN      28567/httpd -DSSL
> tcp        0      0 0.0.0.0:1337                0.0.0.0:*                   LISTEN      28561/httpd -DSSL
 
Following is a summary of a new Unix Domain Sockets:
no changes to Unix Domain Sockets
    I was away for a while until I saw this message, and when I entered my server, I found the load to be at 2.08 (quite high, I always work around 0.00 to 0.01) and I saw many perl processes running, probably causing the cpu load.
    I also got another LSM alert , but this time it was:

    Code:
    Following is a summary of new Internet Server Sockets:
> tcp        0      0 0.0.0.0:8000                0.0.0.0:*                   LISTEN      8871/inetd
    I killed all perl processes, I don't know if I did well but the load started to drop at once.
    when I looked for open ports, none of the listed above were open anymore.
    However, my /tmp directory had suspicious files, such as shell.pl (my antvirus at home defined it as Perl/Shellbot.A), bnc.pid , a file which held the pid 28561 of the httpd process I mentioned above, users.db , a file containing the line : U: Administrador , and some other phpx9rg4 random files.
    I'm getting really concerned about this....has someone gained shell access to my server? (yes, huh?)


    Any ideas how to prevent this from happening?
    Thank you in advance
     
    #1 limneos, Jun 24, 2007
    Last edited: Jun 24, 2007
  2. tweakservers

    tweakservers Well-Known Member

    Joined:
    Mar 30, 2006
    Messages:
    379
    Likes Received:
    0
    Trophy Points:
    166
    Before you have killed the process, do you a do a lsof to find the source of the files execution directory? It may be possible that some of your sites are being exploited which gives ways for the files to be successfully uploaded it to the server.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 tweakservers, Jun 24, 2007
  3. limneos

    limneos Member

    Joined:
    Mar 21, 2004
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    151
    thank you, that seems to come up handy...I realized I hadn't installed mod_security, I did this now , hope this could help in general terms.
     
    #3 limneos, Jun 25, 2007
  4. vavayi

    vavayi Member

    Joined:
    Aug 4, 2008
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    51
    Try this

    chown -R named:named /var/named
     
    #4 vavayi, Jan 14, 2009
(You must log in or sign up to post here.)
Loading...
Similar Threads - Alert problem
  1. CollectifHub

    New Thread lfd on hostname: High 15 minute load average alert

    CollectifHub, Dec 9, 2018 at 8:53 AM, in forum: Workarounds and Optimization
    Replies:
    1
    Views:
    72
    HostSane
    Dec 9, 2018 at 10:17 PM
  2. Eslam Fawzy

    Suspicious File Alert

    Eslam Fawzy, Nov 13, 2018, in forum: Security
    Replies:
    1
    Views:
    120
    cPanelLauren
    Nov 14, 2018
  3. USA_Webmaster

    Disable lfd email alerts for whitelisted IP?

    USA_Webmaster, Oct 30, 2018, in forum: General Discussion
    Replies:
    4
    Views:
    132
    cPanelMichael
    Oct 31, 2018
  4. Nirjonadda

    Suspicious File Alert

    Nirjonadda, Oct 30, 2018, in forum: General Discussion
    Replies:
    2
    Views:
    150
    cPanelMichael
    Oct 30, 2018
  5. tui

    SOLVED [CPANEL-23314] CSF Suspicious File Alerts (/tmp/pma_template_compiles) after V76 Update

    tui, Oct 27, 2018, in forum: Security
    Replies:
    8
    Views:
    1,406
    rpvw
    Nov 8, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice