The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Odd file

Discussion in 'General Discussion' started by aliensid, Jun 29, 2004.

  1. aliensid

    aliensid Member

    Joined:
    Oct 24, 2003
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    I have recently reinstalled Linux and cPanel on a box, and have noticed that there has been a very high amount of processor usage. Upon running ps aux this appeared:

    nobody 13622 49.5 0.0 1636 568 ? R 14:02 167:54 /tmp/fixed somesite.co.uk
    nobody 13624 49.5 0.0 1636 568 ? R 14:02 167:35 /tmp/fixed somesite.co.uk
    nobody 13635 49.3 0.0 1500 416 ? R 14:03 166:56 /tmp/fixed 207.46.250.119
    nobody 13638 49.3 0.0 1500 416 ? R 14:03 166:54 /tmp/fixed 207.46.250.119
    nobody 14257 49.1 0.0 1636 568 ? R 14:05 165:10 /tmp/fixed www.apache.org
    nobody 14259 49.2 0.0 1636 568 ? R 14:05 165:21 /tmp/fixed www.apache.org
    nobody 14275 49.1 0.0 1636 568 ? R 14:06 164:47 /tmp/fixed www.apache.org
    nobody 14277 49.0 0.0 1636 568 ? R 14:06 164:19 /tmp/fixed www.apache.org

    This is worrying. The file /tmp/fixed is attached to this post. (It is an exact copy with the filename changed so I could attach it) I dont know what it is, how it got there, or what it does. In the meantime I made a file with the same name and only allowed access to it from root.

    Please advise. :confused:

    Sid.
     

    Attached Files:

  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Doesn't look good. I've opened the file in a HEX editor and the following immediately jumps out:
    Code:
    Not enough memory
    no such server
    Can't open socket
    Connection refused
    sending exploit code...
    exploit was successful!
    sorry, this site isn't vulnerable
    waiting for shell.....
    -csh/bin/sh echo hakr::0:0::/:/bin/sh >> /etc/passwd
    It would appear that someone has gained access to the server through apache and the nobody account. This would suggest there is a vulnerable PHP script on your server.

    You should do the following:

    1. Search all the /etc/httpd/domlogs/ for the term "fixed" to see if you can identify the PHP script

    2. Look at enabling phpsuexec - that way files created in /tmp will have a file ownership of the cPanel account they were created from (there may be implications enabling this for your users, but you have the security of your server to consider)

    3. Install and run chkrootkit and rootkit hunter on the server, if you haven't already

    4. Check open ports on your server and make sure that you can positively identify them all:
    netstat -lpn

    That's the minimum that I would recommend, but get on it quickly.
     
  3. aliensid

    aliensid Member

    Joined:
    Oct 24, 2003
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for the reply. I too thought that it was some dodgey php script, however after searching through the logs in /etc/httpd/domlogs/ and searching all the php files on the server for 'fixed', 'fix' and '/etc/fix' nothing came up. I have enabled phpsuexec and am lookin at this chkrootkit thing now.

    I am wondering if with phpsuexec, i should remove the file i made, and allow it to run once more, to see exactly where it is coming from? Good plan, or daft plan?!! Because if i can identify which user it is coming from I have more chance of stopping it!

    sid.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Hmm, could be cunningly clever or a bit silly. I'm not sure. As there does seem to be a vulnerability somewhere it might be a good idea to try that. However, you are going to have to keep a very close eye on that file.
     
Loading...

Share This Page