Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Root Spam Problem

Discussion in 'General Discussion' started by lost, Sep 1, 2009.

  1. lost

    lost Well-Known Member

    Aug 19, 2003
    Likes Received:
    Trophy Points:
    Hello All,
    I have an interesting issue with spam on several servers. The spam generated is sent as the root user via a perl process. I scanned the servers for malware, iframes, grepped for the ip address the spammer uses in all logs and can't find anything. The spam happens every couple of days or so with a new ip address after I block the offending one. When the spam is under way, all I see is root running a perl process. ps -u root shows only process number and corresponding /usr/bin/perl, When looking at the process environment cd /proc/xxxx, ls -sahl xxxx, cat environ, It appears that the offending ip somehow logs into the server and runs a perl process. I have changed the root pass several times, even disallowed root and set up user su to root to no avail.

    Here is a sample of the proc environment I see with one of the offending ip's

    root@lucy [/proc/23760]# cat environ
    SHELL=/bin/ 58837 22USER=rootLS_COLORS=MAIL=/var/mail/rootPATH=/usr/local/jdk/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/bin:/usr/X11R6/binPWD=/rootJAVA_HOME=/usr/local/jdkEDITOR=picoSHLVL=1HOME=/rootLS_OPTIONS=--color=tty -F -a -b -T 0LOGNAME=rootVISUAL=picoCLASSPATH=.:/usr/local/jdk/lib/ 58837 22_=/usr/bin/perlroot@lucy [/proc/23760]#

    Has anyone seen this before and or can anyone help me with this ?

    #1 lost, Sep 1, 2009
    Last edited: Sep 1, 2009
  2. Spiral

    Spiral BANNED

    Jun 24, 2005
    Likes Received:
    Trophy Points:
    For starters, I recommend you edit your post and remove the details you just posted or at least censure the IPs shown.

    Now regarding what you ask, most of these are setup as web calls to a vulnerable script found on your server. In some cases, an account may have been compromised and a specialized script or cronjob uploaded.

    I deal with this sort of thing with clients on a daily basis and would be glad to give you a hand getting to the bottom of this and help protect you from possible future occurances. ;)

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice