Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Strange script in /tmp

Discussion in 'Security' started by vmicovic, Jun 30, 2012.

  1. vmicovic

    vmicovic Well-Known Member

    Joined:
    Sep 4, 2007
    Messages:
    95
    Likes Received:
    0
    Trophy Points:
    56
    Hello,

    i just notice one script in tmp file "ks-script-NhuzyO" (which is root owner), which content is:

    Code:
    wget -O /usr/local/sbin/show-tech http://192.168.0.1/applications/show-tech
    chmod +x /usr/local/sbin/show-tech
    
    cat /etc/fstab | grep -v tmp > /etc/fstab.new
    cat /etc/fstab | egrep -e '^LABEL=/tmp\s+|^tmpfs\s+|^\S+\s+/tmp' | sed 's/defaults/defaults,rw,nosuid,nodev,noexec/' >> /etc/fstab.new
    mv /etc/fstab.new /etc/fstab
    
    yum -y update
    chkconfig network on
    wget -O /etc/firstboot http://192.168.0.1/empty
    chmod +x /etc/firstboot
    
    cp /etc/rc.d/rc.local /etc/rc.d/rc.local.back
    
    DEV=`grep -l /sys/class/net/*/address -e 00:22:64:34:75:fb | awk -F '/' '{print $5}'`
    
    cat > /etc/rc.local <<MYFIRSTBOOT
    #!/bin/sh
    /etc/firstboot
    rm /etc/firstboot
    wget -O /dev/null -t 10 -T 3 --retry-connrefused http://192.168.0.1/cgi2/done.pl?audit=yes
    mv /etc/rc.d/rc.local.back /etc/rc.d/rc.local
    
    cat /etc/sysconfig/network-scripts/tmp.ifcfg-eth0 | sed 's/eth0/$DEV/' > /etc/sysconfig/network-scripts/ifcfg-$DEV
    rm /etc/sysconfig/network-scripts/tmp.ifcfg-eth0
    cat /etc/sysconfig/network-scripts/tmp.route6-eth0 | sed 's/eth0/$DEV/' > /etc/sysconfig/network-scripts/route6-$DEV
    rm /etc/sysconfig/network-scripts/tmp.route6-eth0
    
    reboot
    
    MYFIRSTBOOT
    
    wget -O /etc/sysconfig/network-scripts/tmp.ifcfg-eth0 http://192.168.0.1/ks/00-22-64-34-75-fb-net
    wget -O /etc/sysconfig/network-scripts/tmp.route6-eth0 http://192.168.0.1/ks/00-22-64-34-75-fb-route6
    wget -O /dev/null -t 10 -T 3 --retry-connrefused http://192.168.0.1/cgi2/done.pl?noPXE=1
    %end
    And log file of that script (which is also in tmp folder):
    Code:
    --2012-04-28 01:15:16--  http://192.168.0.1/applications/show-tech
    Connecting to 192.168.0.1:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 85 [text/plain]
    Saving to: `/usr/local/sbin/show-tech'
    
         0K                                                       100% 9.36M=0s
    
    2012-04-28 01:15:16 (9.36 MB/s) - `/usr/local/sbin/show-tech' saved [85/85]
    
    Loaded plugins: fastestmirror
    Determining fastest mirrors
     * base: mirror.sov.uk.goscomb.net
     * extras: mirror.sov.uk.goscomb.net
     * updates: mirror.sov.uk.goscomb.net
    Setting up Update Process
    Resolving Dependencies
    --> Running transaction check
    ---> Package coreutils.i386 0:5.97-34.el5_8.1 set to be updated
    ---> Package device-mapper-multipath.i386 0:0.4.7-48.el5_8.1 set to be updated
    ---> Package freetype.i386 0:2.2.1-31.el5_8.1 set to be updated
    ---> Package glibc.i686 0:2.5-81.el5_8.2 set to be updated
    ---> Package glibc-common.i386 0:2.5-81.el5_8.2 set to be updated
    ---> Package gnutls.i386 0:1.4.1-7.el5_8.2 set to be updated
    ---> Package kernel.i686 0:2.6.18-308.4.1.el5 set to be installed
    ---> Package kpartx.i386 0:0.4.7-48.el5_8.1 set to be updated
    ---> Package libgcrypt.i386 0:1.4.4-5.el5_8.2 set to be updated
    ---> Package libpng.i386 2:1.2.10-17.el5_8 set to be updated
    ---> Package libtiff.i386 0:3.8.2-14.el5_8 set to be updated
    ---> Package libxml2.i386 0:2.6.26-2.1.15.el5_8.2 set to be updated
    ---> Package nspr.i386 0:4.8.9-1.el5_8 set to be updated
    ---> Package nss.i386 0:3.13.1-5.el5_8 set to be updated
    ---> Package openssl.i686 0:0.9.8e-22.el5_8.3 set to be updated
    ---> Package popt.i386 0:1.10.2.3-28.el5_8 set to be updated
    ---> Package rpm.i386 0:4.4.2.3-28.el5_8 set to be updated
    ---> Package rpm-libs.i386 0:4.4.2.3-28.el5_8 set to be updated
    ---> Package rpm-python.i386 0:4.4.2.3-28.el5_8 set to be updated
    ---> Package tzdata.i386 0:2012b-3.el5 set to be updated
    ---> Package wget.i386 0:1.11.4-3.el5_8.1 set to be updated
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ================================================================================
     Package                    Arch    Version                    Repository  Size
    ================================================================================
    Installing:
     kernel                     i686    2.6.18-308.4.1.el5         updates     19 M
    Updating:
     coreutils                  i386    5.97-34.el5_8.1            updates    3.6 M
     device-mapper-multipath    i386    0.4.7-48.el5_8.1           updates    2.9 M
     freetype                   i386    2.2.1-31.el5_8.1           updates    312 k
     glibc                      i686    2.5-81.el5_8.2             updates    5.3 M
     glibc-common               i386    2.5-81.el5_8.2             updates     16 M
     gnutls                     i386    1.4.1-7.el5_8.2            updates    351 k
     kpartx                     i386    0.4.7-48.el5_8.1           updates    428 k
     libgcrypt                  i386    1.4.4-5.el5_8.2            updates    251 k
     libpng                     i386    2:1.2.10-17.el5_8          updates    241 k
     libtiff                    i386    3.8.2-14.el5_8             updates    308 k
     libxml2                    i386    2.6.26-2.1.15.el5_8.2      updates    797 k
     nspr                       i386    4.8.9-1.el5_8              updates    121 k
     nss                        i386    3.13.1-5.el5_8             updates    1.1 M
     openssl                    i686    0.9.8e-22.el5_8.3          updates    1.5 M
     popt                       i386    1.10.2.3-28.el5_8          updates     76 k
     rpm                        i386    4.4.2.3-28.el5_8           updates    1.2 M
     rpm-libs                   i386    4.4.2.3-28.el5_8           updates    929 k
     rpm-python                 i386    4.4.2.3-28.el5_8           updates     61 k
     tzdata                     i386    2012b-3.el5                updates    766 k
     wget                       i386    1.11.4-3.el5_8.1           updates    582 k
    
    Transaction Summary
    ================================================================================
    Install       1 Package(s)
    Upgrade      20 Package(s)
    
    Total download size: 56 M
    
    etc.

    and at the end new date:
    Code:
    --2012-04-28 01:17:00--  http://192.168.0.1/empty
    Connecting to 192.168.0.1:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 10 [text/plain]
    Saving to: `/etc/firstboot'
    
         0K                                                       100% 1.14M=0s
    
    2012-04-28 01:17:00 (1.14 MB/s) - `/etc/firstboot' saved [10/10]
    
    --2012-04-28 01:17:00--  [url]http://192.168.0.1/ks/00-22-64-34-75-fb-net[/url]
    Connecting to 192.168.0.1:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 315 [text/plain]
    Saving to: `/etc/sysconfig/network-scripts/tmp.ifcfg-eth0'
    
         0K                                                       100% 35.8M=0s
    
    2012-04-28 01:17:00 (35.8 MB/s) - `/etc/sysconfig/network-scripts/tmp.ifcfg-eth0' saved [315/315]
    
    --2012-04-28 01:17:00--  [url]http://192.168.0.1/ks/00-22-64-34-75-fb-route6[/url]
    Connecting to 192.168.0.1:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 105 [text/plain]
    Saving to: `/etc/sysconfig/network-scripts/tmp.route6-eth0'
    
         0K                                                       100% 15.6M=0s
    
    2012-04-28 01:17:00 (15.6 MB/s) - `/etc/sysconfig/network-scripts/tmp.route6-eth0' saved [105/105]
    
    --2012-04-28 01:17:00--  [url]http://192.168.0.1/cgi2/done.pl?noPXE=1[/url]
    Connecting to 192.168.0.1:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: unspecified [text/plain]
    Saving to: `/dev/null'
    
         0K                                                         608K=0s
    
    2012-04-28 01:17:01 (608 KB/s) - `/dev/null' saved [4]
    
    /tmp/ks-script-NhuzyO: line 36: fg: no job control

    Is this script of WHM or something else?
    p.s: i don`t have network 192.168.x.x

    Thank you.
     
    #1 vmicovic, Jun 30, 2012
    Last edited: Jun 30, 2012
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,608
    Likes Received:
    32
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    What does /etc/firstboot file show? This isn't a WHM script, but given it's doing things for IPv6 IP addresses, it might have been done by your datacenter, NOC or provider when they setup the machine.

    Of note, ks-script typically refers to kickstart script for setting up a machine on first boot.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. vmicovic

    vmicovic Well-Known Member

    Joined:
    Sep 4, 2007
    Messages:
    95
    Likes Received:
    0
    Trophy Points:
    56
    i don`t have firstboot in etc, i have in /etc/syconfig and contain:
    I will contact DC, thank you for your help.


    Br.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice