northservers

Registered
Jun 29, 2006
1
0
151
Hi guys,

On all 6 of our servers (all running cPanel Release tree), somebody last night uploaded some strange files to /var/spool/ named /var/spool/.GGG/ - inside the .GGG folder was a keylogger by the looks of it, and also an output of text (including passwords). This folder was not viewable until a reboot of the server had taken place. This coincided with web sites hosted on the servers being infected with the vbs.psyme trojan which injects malicious JavaScript to the browser.

Has anyone else seen similar things over the past 48 hours, and if so has the entry point been established?

TIA

Steve
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,462
25
473
Go on, have a guess
What ownership did the files have? If they're owned by root, then you've clearly suffered a root compromise and would need to restore a clean OS and restore accounts from backup and get the server security locked down. If they're owned by a non-root user it should help you in finding out how the hackers got in.