Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

[Security] Urgent - malicious user!

Discussion in 'Security' started by Radio_Head, Jun 19, 2003.

  1. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    343
    AVOID THIS IP : uber.neeksor.com / 64.246.40.27

    Hello,

    some day ago an user "contentc" opened an account

    Well today executing ..
    last|head -n10000 | grep pts

    I found this (!)

    contentc pts/0 uber.neeksor.com Sat Jun 7 11:31 - 11:32 (00:00)

    Since I am NOT providing ssh access I have to understand how could be possible for contentc login on pts/0 (!!!!) .

    On their cgi-bin I found

    -rw------- 1 contentc contentc 1191936 Jun 18 04:05 core
    -rwxr-xr-x 1 contentc contentc 790819 Jun 16 14:22 guestbook.cgi*
    -rwxr-xr-x 1 contentc contentc 750 Jun 7 11:32 t.cgi*

    t.cgi ( is a simple perl file to execute shell commands via browser)

    I am worried about core . Perhaps he is trying to catch root
    password analyzing core ?

    I suspended the account , however I think he could be have create some damage ..so I am worried . C compilers are off , php safe mode is on .
    I analized log files for "content" user however I didn't find signals
    .. he used guestbook (probabling taking advantage of gestbook exploits ) then used t.cgi but I don't know in which way.

    Any help/suggestion will be appreciated !

    cPanel.net Support Ticket Number:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #1 Radio_Head, Jun 19, 2003
    Last edited: Jun 19, 2003
Loading...
Similar Threads - [Security] Urgent malicious
  1. segun_nira
    Replies:
    7
    Views:
    793
  2. cPanelBenny
    Replies:
    3
    Views:
    4,997

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice