Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

server load - > a ?!? top process

Discussion in 'General Discussion' started by mahdionline, Nov 17, 2004.

  1. mahdionline

    mahdionline Well-Known Member

    Joined:
    Oct 18, 2003
    Messages:
    127
    Likes Received:
    0
    Trophy Points:
    166
    Hi

    While processing, the cpu has been maxed out for more then a 6 hour period. The current load/uptime line on the server at the time of
    this email is 12:02pm up 2 days, 1:03, 0 users, load average: 4.82, 4.75, 4.73

    and in top of our process :

    ./stealth 82.78.39.226 99999999999999999999999999999999999999999

    what's this process ?

    Regard
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,470
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    Looks like a DOS hacking tool. You should be able to find it (if it's still running) quickly with:

    lsof | grep stealth

    Then kill off the running process, move the file from wherever it is and investigate how your server was breached - most likely through a vulberable perl CGI or PHP script.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. mahdionline

    mahdionline Well-Known Member

    Joined:
    Oct 18, 2003
    Messages:
    127
    Likes Received:
    0
    Trophy Points:
    166
    one of my friend check our server and say to me :

    It appears your've been compromised through /dev/shm, however it appears to be an apache exploit, and not root level. I was unable to find the aforementioned "stealth" file on your system.

    what's the /dev/shm ? and what is different between apche exploid and root level ?

    and how can I check more about this ?

    Regard
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice