TOnight, as I was doing an account audit on one of my servers, I noticed my server load suddenyl spike. SO went to check out the spike, and noticed a process that was running as root. The cpanel process list showed a large of /home directories.
SO I went to SSH and run TOP, and it shows root running a find command, with pretty much all my user accounts listed.
In my un-knowledgeable panic, I had promptly changed the root password, though "who" only showed me, and rebooted the server. I also went ahead and disabled all cgi-bin access, and SSH jailshell access.
The process has not returned, as of yet.
SO I went to SSH and run TOP, and it shows root running a find command, with pretty much all my user accounts listed.
Is it normal for cpanel to do this on it's own, or is this evidence of some sort of compromise? with the rash of website defacements going around these days, this had me concerned, as I had never seen it before.example= 12158 root 30 15 12948 3160 660 D 3.7 0.0 0:06.84 /usr/bin/find /home/xxxxx/public_html /home/xxxxxx/public_html /home/xxxxx/public_html /home/xx...
In my un-knowledgeable panic, I had promptly changed the root password, though "who" only showed me, and rebooted the server. I also went ahead and disabled all cgi-bin access, and SSH jailshell access.
The process has not returned, as of yet.