The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

My server is compromised?

Discussion in 'General Discussion' started by avik, Jun 9, 2003.

  1. avik

    avik Member

    Joined:
    May 31, 2003
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    In the list of processes of the server, I have seen these processes:
    ------------------
    root 27596 0.0 0.0 2072 920 ? S 16:27 0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
    nobody 28563 0.0 0.0 1380 376 ? S 16:32 0:00 ./tty
    nobody 28564 0.0 0.0 2100 1080 ttyp0 S 16:32 0:00 \_ sh -i
    -------------------

    In my terminal program (SSH) I have received the message of such kind:

    ==============
    Broadcast.............................. (i remember only it)

    If you see this message, write to me to this address: "email"
    ===============

    I have written to him. He has answered, that my server is hacked and also he can remove vulnerability, if I shall open to him an account.



    What you can to me advise?

    cPanel.net Support Ticket Number:
     
  2. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Well don't give him an account, whatever you do!

    cPanel.net Support Ticket Number:
     
  3. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    I would ask him how he hacked it and let us know :(

    Maybe offer a small price $20 for him to show you what he did. Then you can get his information from the payment method.

    He's not too bad to contact you, usually they just look for cc's and delete everything. So I have been told :rolleyes:.

    Sorry about your mis-fortune and hope all turns out well.

    I would back up the server and move everything to a new server ASAP.

    cPanel.net Support Ticket Number:
     
  4. avik

    avik Member

    Joined:
    May 31, 2003
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Yes, I shall not open for him an account.

    I nevertheless think there is a vulnerability.
    The remote user can run commands with the rights nobody.

    cPanel.net Support Ticket Number:
     
  5. MattDr2

    MattDr2 Well-Known Member
    PartnerNOC

    Joined:
    Feb 19, 2003
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Norman, OK
    Make sure noone on your server is running an outdated version of the PHP version of YaBB. (YaBBSE)

    There's a bug that allows users to upload scripts & compile & execute them as user nobody...

    Regards,
    Matt

    cPanel.net Support Ticket Number:
     
Loading...

Share This Page