The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Perl Hacked

Discussion in 'Security' started by Michel Alshaer, Apr 16, 2015.

  1. Michel Alshaer

    Joined:
    Apr 16, 2015
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Jordan
    cPanel Access Level:
    DataCenter Provider
    Can someone please help i keep getting these emails i dont know what to do i think the website is hacked

    Time: Thu Apr 16 09:01:07 2015 +0300
    PID: 3569 (Parent PID:2925)
    Account: XXXXXX
    Uptime: 80080 seconds


    Executable:

    /usr/bin/perl


    Command Line (often faked in exploits):

    /usr/bin/perl -I/usr/local/bandmin\r 22.pl
     
  2. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I see messages similar to this frequently, and it's usually after some update or another.

    I get the impression that when a program is running in memory, and an update is performed, the updated file cannot launch because the old one is still running in memory.
    Usually restarting the particular service will fix this.

    Check your logs to see if Perl has been updated at all.
    Var/log/yum.log

    Maybe Apache is the service to restart ??
     
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,452
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I suggest you hire a security expert right away if you're unsure of the path forward. You are in trouble.
     
  4. Michel Alshaer

    Joined:
    Apr 16, 2015
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Jordan
    cPanel Access Level:
    DataCenter Provider
    how can i delete this file ?
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,452
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I'm unable to assist you with this and is why I suggested you hire someone. For all we know your entire server is compromised, deleting that one file is most likely, not enough.
     
    brittbratt likes this.
  6. Michel Alshaer

    Joined:
    Apr 16, 2015
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Jordan
    cPanel Access Level:
    DataCenter Provider
    any security experts suggestions ?
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,452
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You might want to contact your Hosting Provider for suggestions.
     
  8. Michel Alshaer

    Joined:
    Apr 16, 2015
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Jordan
    cPanel Access Level:
    DataCenter Provider
    i did this and till now i didn't receive any of that emails
     
  9. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,452
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    The message you quote from keat63 is of no use to you in this situation. That file on your server is not from a perl upgrade, it's a perl hacking script.

    Your server is compromised and that script has been running for over 22 hours.

    Stop wasting time posting here, go find a security expert.
     
    mtindor likes this.
  10. Michel Alshaer

    Joined:
    Apr 16, 2015
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Jordan
    cPanel Access Level:
    DataCenter Provider
    THANK YOU I WILL NOW
     
Loading...

Share This Page