Feb 7, 2004
Ok... I know for a fact that my server's been compromised. I'll admit that I am simply a cpanel web sys admin and not a security expert.

I have noticed that I have some rogue processes running like eggdrop and psybnc. I do not know how it was installed but I do know that it was installed under the /usr/sbin/clamav and /usr/sbin/awstats folders.

The owners of these files are clamav and awstats. I run CSF v4.66 and my server score is currently 93/122. However it was running an older version 4.2x at the time I discovered that my server was compromised.

I have since upgraded to the latest CSF version and I have upgraded cpanel to the latest release version. For some reason, it wasn't configured and normally, I do have it automatically set for cpanel and security updates.

I already managed to remove psybnc and delete the process but I see that it is still trying to run even though the directory has been deleted. I used crontab -e to see if any cronjobs are running for it but I do not see it. I'm not sure where/how to remove this completely.

Fortunately, I know about eggdrops and psybnc enough to know how to install/use/configure. But this install is very complex, I know it is a botnet of some kind but it's hard for me to understand.

Hmm, as I type this, I'm discovering more things like seeing Anope installed.

I guess the biggest question right now here is this..

- how do I find out how this was installed?
- Do I have a "hidden" user that is logging on my server uploading these files and creating these directories?
- is clamav and awstats users that can log into the system? or are these cpanel accounts?

To me... all these files as I look through them tell more and more of a story of what's going on. But I don't want to delete so quickly to see how this has all happened.

What I do want to do right now is... stop this all so the hacker cannot use these services... and I can "comb" through these in more detail. I have a cpanel box mainly to service web clients and that's all I really use it for. I cannot take the server down because of that reason. But I do want to get to the bottom of this... fairly quickly w/o disrupting service or risk getting my server hacked more.

If anyone can advise/suggest anything.. please let me know.

[/usr/sbin/clamav/public_html]# ls -lsa
total 10492
4 drwxr-xr-x 9 root clamav 4096 Apr 26 05:16 ./
4 drwx------ 7 root clamav 4096 May 1 18:02 ../
4 drwxr-xr-x 2 root clamav 4096 Oct 27 2008 bnc/
4 drwxr-xr-x 10 root clamav 4096 May 1 17:54 cewek/
7764 -rw-r--r-- 1 root clamav 7934929 Oct 6 2008 cewek.tar.gz
4 drwxr-xr-x 2 root clamav 4096 Oct 16 2008 cgi-bin/
4 drwxr-xr-x 3 root clamav 4096 Apr 27 02:30 compile/
4 drwxr-xr-x 9 root clamav 4096 May 1 17:54 eggdrop/
2472 -rw-r--r-- 1 root clamav 2523167 Feb 4 08:09 egg.tar.gz
4 drwxr-xr-x 3 root clamav 4096 Mar 10 22:44 Network/
220 -rw-r--r-- 1 root clamav 218464 Dec 16 16:58 psy.tar.gz
4 drwxr-xr-x 7 root clamav 4096 May 1 11:25 www/


Feb 7, 2004
an update.. I clicked on "Background Process Killer" and after clicking on Save. All those eggdrop processes and psyBNC was killed. So that's a good thing... but I'm sure the guy is "tipped" that I found out.

9671 (psybnc) (deleted) /usr/sbin/awstats/public_html/cgi-bin/psyBNC/psybnc (deleted) /usr/sbin/awstats/public_html/cgi-bin/psyBNC

How do I stop the process above from starting?
Last edited:


Well-Known Member
Jul 10, 2005
New Jersey, USA
cPanel Access Level
Root Administrator
There are tons of ways that could have happened, unfortunately there's no way to know just by looking at that directory listing.

The server will have to be reviewed to determine how it happened, and also properly cleaned and secured to help prevent it from happening again.