The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Security] Urgent - malicious user!

Discussion in 'Security' started by Radio_Head, Jun 19, 2003.

  1. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    AVOID THIS IP : uber.neeksor.com / 64.246.40.27

    Hello,

    some day ago an user "contentc" opened an account

    Well today executing ..
    last|head -n10000 | grep pts

    I found this (!)

    contentc pts/0 uber.neeksor.com Sat Jun 7 11:31 - 11:32 (00:00)

    Since I am NOT providing ssh access I have to understand how could be possible for contentc login on pts/0 (!!!!) .

    On their cgi-bin I found

    -rw------- 1 contentc contentc 1191936 Jun 18 04:05 core
    -rwxr-xr-x 1 contentc contentc 790819 Jun 16 14:22 guestbook.cgi*
    -rwxr-xr-x 1 contentc contentc 750 Jun 7 11:32 t.cgi*

    t.cgi ( is a simple perl file to execute shell commands via browser)

    I am worried about core . Perhaps he is trying to catch root
    password analyzing core ?

    I suspended the account , however I think he could be have create some damage ..so I am worried . C compilers are off , php safe mode is on .
    I analized log files for "content" user however I didn't find signals
    .. he used guestbook (probabling taking advantage of gestbook exploits ) then used t.cgi but I don't know in which way.

    Any help/suggestion will be appreciated !

    cPanel.net Support Ticket Number:
     
    #1 Radio_Head, Jun 19, 2003
    Last edited: Jun 19, 2003

Share This Page