Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Strange Files in /var/spool/

Discussion in 'General Discussion' started by northservers, Jun 29, 2006.

  1. northservers

    northservers Registered

    Jun 29, 2006
    Likes Received:
    Trophy Points:
    Hi guys,

    On all 6 of our servers (all running cPanel Release tree), somebody last night uploaded some strange files to /var/spool/ named /var/spool/.GGG/ - inside the .GGG folder was a keylogger by the looks of it, and also an output of text (including passwords). This folder was not viewable until a reboot of the server had taken place. This coincided with web sites hosted on the servers being infected with the vbs.psyme trojan which injects malicious JavaScript to the browser.

    Has anyone else seen similar things over the past 48 hours, and if so has the entry point been established?


  2. chirpy

    chirpy Well-Known Member Verifed Vendor

    Jun 15, 2002
    Likes Received:
    Trophy Points:
    Go on, have a guess
    What ownership did the files have? If they're owned by root, then you've clearly suffered a root compromise and would need to restore a clean OS and restore accounts from backup and get the server security locked down. If they're owned by a non-root user it should help you in finding out how the hackers got in.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice