The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

simple security question?

Discussion in 'Security' started by jols, Nov 29, 2007.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Hi,

    I found a backdoor binary in /tmp simply named "bds".

    How can I find out who put it there?

    Thanks!
     
  2. ToddShipway

    ToddShipway Well-Known Member

    Joined:
    Nov 13, 2006
    Messages:
    300
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, TX
    Since it is in /tmp, it was most likely put there by a php script of some kind. You could look through the access logs in /usr/local/apache/domlogs for 'bds' to see if you can find the site that was used to upload the file.

    Code:
    grep -i bds /usr/local/apache/domlogs/*
     
  3. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    If you're asking this, you're probably not running suphp or phpsuexec; if you were running them, the file ownership would have told you who put it there.

    There's a slight performance hit and some issues if you have a lot of scripts installed already, but it is really worth looking at making the change. Tools such as CSF/APF help too.
     
  4. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    So, which is less disruptive to the hosted accounts when converting over, suphp or phpsuexec?
     
  5. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
  6. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    I'd always go for suphp these days, phpsuexec has been end-of-lifed and isn't supported by cpanel any more from what I know. Suphp is a superior solution anyway.
     
  7. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Is suphp the same as Suhosin?
     
  8. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Not remotely. Spend a few minutes reading about them and you'll see (google is your friend!!). Suhosin = PHP hardening, cuts a lot of functionality out of PHP; suphp runs PHP as individual users.
     
  9. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Correct, SuPHP has replaced phpSuExec in EasyApache 3.
     
Loading...

Share This Page