smile

Well-Known Member
Oct 2, 2004
68
0
156
Hello,

Since last few hours I keep seeing a process run by a user named hnc.cgi . I killed it and then it appeared again. I searched the entire directory of the user where this process was launched but I could not find anything over there too.
The process just keeps coming up again and again.

Can somebody throw some light on this, what is this hnc.cgi process and if its a malicious file being run.
 

AndyReed

Well-Known Member
PartnerNOC
May 29, 2004
2,221
4
193
Minneapolis, MN
Since last few hours I keep seeing a process run by a user named hnc.cgi . I killed it and then it appeared again. I searched the entire directory of the user where this process was launched but I could not find anything over there too.
The process just keeps coming up again and again.
/tmp is the directory where these files are saved/downloaded. I suggest you seek professional help to secure and harden your server. You can also search these forums on how to secure your server, if you're comfortable with Linux and cPanel.
 

smile

Well-Known Member
Oct 2, 2004
68
0
156
Nothing in cgi-bin and the tmp is clean. Any other possibility that you can see ?
 

jpetersen

Well-Known Member
Dec 31, 2006
113
4
168
The one time I've seen hnc.cgi, it was in the location that ebizindia stated, which was the user's cgi-bin/ directory.

Here it is being uploaded:

Code:
[b]Sep 25 05:52:19[/b] host pure-ftpd: ([email protected]) [NOTICE] /home/victim//www/cgi-bin/hnc.cgi uploaded  (35024 bytes, 67.26KB/sec)
then executed:

Code:
example.com:195.189.226.220 - - [b][25/Sep/2008:05:52:19 -0400][/b] "GET /cgi-bin/hnc.cgi HTTP/1.0" 200 1 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
and then removed:

Code:
[b]Sep 25 05:52:20[/b] host pure-ftpd: ([email protected]) [NOTICE] Deleted www/cgi-bin/hnc.cgi
You're not finding it on the filesystem because it's probably getting deleted immediately after being executed. Check your syslogs for any FTP activity related to the file:

# cd /var/log
# zgrep hnc.cgi messages*

edit: also check any domain logs in /usr/local/apache/domlogs for "hnc.cgi" as well.

more edit: in case I wasn't all too clear, the issue in the logs shown above occurred because the attacker had, somehow, obtained the user's cPanel password, which allowed them to upload the file via FTP. Once you find the cause of the script getting onto your server, make sure you change that user's password, tell them to never use any old passwords they've used before (since at least 1 is known by someone else), and it would probably be a good idea for the user to install/update/run a full antivirus scan on their own computer, in case that was the cause of their password getting stolen (e.g., the customer's home computer is trojaned, being keylogged, etc).

Do let us know what you find out please.
 
Last edited:

jpetersen

Well-Known Member
Dec 31, 2006
113
4
168
To break up the posts a bit, I'm making a separate reply.

To answer your question: the script could be legit, unless it's not. The one I saw is not. Check the first few lines of the script. If it looks like this:

Code:
# head -2 hnc.cgi
#!/usr/bin/perl -w
# HSH.net client
then it's a script for sending spam.

Here's a very small part of it which shows the fake mail user agent strings that the script uses:

Code:
        my $mailer =
        [
                "Exim 3.12",
                "Qmail 2.67",
                "Sendmail 3.84/3.84",
                "mLogic",
                "WebPOP 1.0",
                "Gentoo"
        ];
If you're on any spam related feedback loops like the one AOL provides, check the headers of the spam complaints. If you see any of those user agent strings in the headers, then you might have an hnc.cgi issue on your server.

If you're unable to locate the cause of the problem, I would definitely recommend hiring an admin to help you investigate.