Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

my server is hacked

Discussion in 'General Discussion' started by jcaldera, May 1, 2009.

  1. jcaldera

    jcaldera Registered

    Feb 7, 2004
    Likes Received:
    Trophy Points:
    Ok... I know for a fact that my server's been compromised. I'll admit that I am simply a cpanel web sys admin and not a security expert.

    I have noticed that I have some rogue processes running like eggdrop and psybnc. I do not know how it was installed but I do know that it was installed under the /usr/sbin/clamav and /usr/sbin/awstats folders.

    The owners of these files are clamav and awstats. I run CSF v4.66 and my server score is currently 93/122. However it was running an older version 4.2x at the time I discovered that my server was compromised.

    I have since upgraded to the latest CSF version and I have upgraded cpanel to the latest release version. For some reason, it wasn't configured and normally, I do have it automatically set for cpanel and security updates.

    I already managed to remove psybnc and delete the process but I see that it is still trying to run even though the directory has been deleted. I used crontab -e to see if any cronjobs are running for it but I do not see it. I'm not sure where/how to remove this completely.

    Fortunately, I know about eggdrops and psybnc enough to know how to install/use/configure. But this install is very complex, I know it is a botnet of some kind but it's hard for me to understand.

    Hmm, as I type this, I'm discovering more things like seeing Anope installed.

    I guess the biggest question right now here is this..

    - how do I find out how this was installed?
    - Do I have a "hidden" user that is logging on my server uploading these files and creating these directories?
    - is clamav and awstats users that can log into the system? or are these cpanel accounts?

    To me... all these files as I look through them tell more and more of a story of what's going on. But I don't want to delete so quickly to see how this has all happened.

    What I do want to do right now is... stop this all so the hacker cannot use these services... and I can "comb" through these in more detail. I have a cpanel box mainly to service web clients and that's all I really use it for. I cannot take the server down because of that reason. But I do want to get to the bottom of this... fairly quickly w/o disrupting service or risk getting my server hacked more.

    If anyone can advise/suggest anything.. please let me know.

    [/usr/sbin/clamav/public_html]# ls -lsa
    total 10492
    4 drwxr-xr-x 9 root clamav 4096 Apr 26 05:16 ./
    4 drwx------ 7 root clamav 4096 May 1 18:02 ../
    4 drwxr-xr-x 2 root clamav 4096 Oct 27 2008 bnc/
    4 drwxr-xr-x 10 root clamav 4096 May 1 17:54 cewek/
    7764 -rw-r--r-- 1 root clamav 7934929 Oct 6 2008 cewek.tar.gz
    4 drwxr-xr-x 2 root clamav 4096 Oct 16 2008 cgi-bin/
    4 drwxr-xr-x 3 root clamav 4096 Apr 27 02:30 compile/
    4 drwxr-xr-x 9 root clamav 4096 May 1 17:54 eggdrop/
    2472 -rw-r--r-- 1 root clamav 2523167 Feb 4 08:09 egg.tar.gz
    4 drwxr-xr-x 3 root clamav 4096 Mar 10 22:44 Network/
    220 -rw-r--r-- 1 root clamav 218464 Dec 16 16:58 psy.tar.gz
    4 drwxr-xr-x 7 root clamav 4096 May 1 11:25 www/
  2. jcaldera

    jcaldera Registered

    Feb 7, 2004
    Likes Received:
    Trophy Points:
    an update.. I clicked on "Background Process Killer" and after clicking on Save. All those eggdrop processes and psyBNC was killed. So that's a good thing... but I'm sure the guy is "tipped" that I found out.

    9671 (psybnc) (deleted) /usr/sbin/awstats/public_html/cgi-bin/psyBNC/psybnc (deleted) /usr/sbin/awstats/public_html/cgi-bin/psyBNC

    How do I stop the process above from starting?
    #2 jcaldera, May 1, 2009
    Last edited: May 1, 2009
  3. PlatinumServerM

    PlatinumServerM Well-Known Member

    Jul 10, 2005
    Likes Received:
    Trophy Points:
    New Jersey, USA
    cPanel Access Level:
    Root Administrator
    There are tons of ways that could have happened, unfortunately there's no way to know just by looking at that directory listing.

    The server will have to be reviewed to determine how it happened, and also properly cleaned and secured to help prevent it from happening again.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice