The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Root Spam Problem

Discussion in 'General Discussion' started by lost, Sep 1, 2009.

  1. lost

    lost Well-Known Member

    Joined:
    Aug 19, 2003
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
    Hello All,
    I have an interesting issue with spam on several servers. The spam generated is sent as the root user via a perl process. I scanned the servers for malware, iframes, grepped for the ip address the spammer uses in all logs and can't find anything. The spam happens every couple of days or so with a new ip address after I block the offending one. When the spam is under way, all I see is root running a perl process. ps -u root shows only process number and corresponding /usr/bin/perl, When looking at the process environment cd /proc/xxxx, ls -sahl xxxx, cat environ, It appears that the offending ip somehow logs into the server and runs a perl process. I have changed the root pass several times, even disallowed root and set up user su to root to no avail.

    Here is a sample of the proc environment I see with one of the offending ip's

    root@lucy [/proc/23760]# cat environ
    SHELL=/bin/bashSSH_CLIENT=xx.xx.xx.xxx 58837 22USER=rootLS_COLORS=MAIL=/var/mail/rootPATH=/usr/local/jdk/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/bin:/usr/X11R6/binPWD=/rootJAVA_HOME=/usr/local/jdkEDITOR=picoSHLVL=1HOME=/rootLS_OPTIONS=--color=tty -F -a -b -T 0LOGNAME=rootVISUAL=picoCLASSPATH=.:/usr/local/jdk/lib/classes.zipSSH_CONNECTION=xx.xx.xx.xxx 58837 xx.xx.xx.xxx 22_=/usr/bin/perlroot@lucy [/proc/23760]#

    Has anyone seen this before and or can anyone help me with this ?

    Thanks
    Lost
     
    #1 lost, Sep 1, 2009
    Last edited: Sep 1, 2009
  2. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    For starters, I recommend you edit your post and remove the details you just posted or at least censure the IPs shown.

    Now regarding what you ask, most of these are setup as web calls to a vulnerable script found on your server. In some cases, an account may have been compromised and a specialized script or cronjob uploaded.

    I deal with this sort of thing with clients on a daily basis and would be glad to give you a hand getting to the bottom of this and help protect you from possible future occurances. ;)
     
Loading...

Share This Page