The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Strange Files in /var/spool/

Discussion in 'General Discussion' started by northservers, Jun 29, 2006.

  1. northservers

    northservers Registered

    Joined:
    Jun 29, 2006
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Hi guys,

    On all 6 of our servers (all running cPanel Release tree), somebody last night uploaded some strange files to /var/spool/ named /var/spool/.GGG/ - inside the .GGG folder was a keylogger by the looks of it, and also an output of text (including passwords). This folder was not viewable until a reboot of the server had taken place. This coincided with web sites hosted on the servers being infected with the vbs.psyme trojan which injects malicious JavaScript to the browser.

    Has anyone else seen similar things over the past 48 hours, and if so has the entry point been established?

    TIA

    Steve
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    What ownership did the files have? If they're owned by root, then you've clearly suffered a root compromise and would need to restore a clean OS and restore accounts from backup and get the server security locked down. If they're owned by a non-root user it should help you in finding out how the hackers got in.
     
Loading...

Share This Page