The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Strange script in /tmp

Discussion in 'Security' started by vmicovic, Jun 30, 2012.

  1. vmicovic

    vmicovic Well-Known Member

    Joined:
    Sep 4, 2007
    Messages:
    95
    Likes Received:
    0
    Trophy Points:
    56
    Hello,

    i just notice one script in tmp file "ks-script-NhuzyO" (which is root owner), which content is:

    Code:
    wget -O /usr/local/sbin/show-tech http://192.168.0.1/applications/show-tech
chmod +x /usr/local/sbin/show-tech

cat /etc/fstab | grep -v tmp > /etc/fstab.new
cat /etc/fstab | egrep -e '^LABEL=/tmp\s+|^tmpfs\s+|^\S+\s+/tmp' | sed 's/defaults/defaults,rw,nosuid,nodev,noexec/' >> /etc/fstab.new
mv /etc/fstab.new /etc/fstab

yum -y update
chkconfig network on
wget -O /etc/firstboot http://192.168.0.1/empty
chmod +x /etc/firstboot

cp /etc/rc.d/rc.local /etc/rc.d/rc.local.back

DEV=`grep -l /sys/class/net/*/address -e 00:22:64:34:75:fb | awk -F '/' '{print $5}'`

cat > /etc/rc.local <<MYFIRSTBOOT
#!/bin/sh
/etc/firstboot
rm /etc/firstboot
wget -O /dev/null -t 10 -T 3 --retry-connrefused http://192.168.0.1/cgi2/done.pl?audit=yes
mv /etc/rc.d/rc.local.back /etc/rc.d/rc.local

cat /etc/sysconfig/network-scripts/tmp.ifcfg-eth0 | sed 's/eth0/$DEV/' > /etc/sysconfig/network-scripts/ifcfg-$DEV
rm /etc/sysconfig/network-scripts/tmp.ifcfg-eth0
cat /etc/sysconfig/network-scripts/tmp.route6-eth0 | sed 's/eth0/$DEV/' > /etc/sysconfig/network-scripts/route6-$DEV
rm /etc/sysconfig/network-scripts/tmp.route6-eth0

reboot

MYFIRSTBOOT

wget -O /etc/sysconfig/network-scripts/tmp.ifcfg-eth0 http://192.168.0.1/ks/00-22-64-34-75-fb-net
wget -O /etc/sysconfig/network-scripts/tmp.route6-eth0 http://192.168.0.1/ks/00-22-64-34-75-fb-route6
wget -O /dev/null -t 10 -T 3 --retry-connrefused http://192.168.0.1/cgi2/done.pl?noPXE=1
%end
    And log file of that script (which is also in tmp folder):
    Code:
    --2012-04-28 01:15:16--  http://192.168.0.1/applications/show-tech
Connecting to 192.168.0.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 85 [text/plain]
Saving to: `/usr/local/sbin/show-tech'

     0K                                                       100% 9.36M=0s

2012-04-28 01:15:16 (9.36 MB/s) - `/usr/local/sbin/show-tech' saved [85/85]

Loaded plugins: fastestmirror
Determining fastest mirrors
 * base: mirror.sov.uk.goscomb.net
 * extras: mirror.sov.uk.goscomb.net
 * updates: mirror.sov.uk.goscomb.net
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package coreutils.i386 0:5.97-34.el5_8.1 set to be updated
---> Package device-mapper-multipath.i386 0:0.4.7-48.el5_8.1 set to be updated
---> Package freetype.i386 0:2.2.1-31.el5_8.1 set to be updated
---> Package glibc.i686 0:2.5-81.el5_8.2 set to be updated
---> Package glibc-common.i386 0:2.5-81.el5_8.2 set to be updated
---> Package gnutls.i386 0:1.4.1-7.el5_8.2 set to be updated
---> Package kernel.i686 0:2.6.18-308.4.1.el5 set to be installed
---> Package kpartx.i386 0:0.4.7-48.el5_8.1 set to be updated
---> Package libgcrypt.i386 0:1.4.4-5.el5_8.2 set to be updated
---> Package libpng.i386 2:1.2.10-17.el5_8 set to be updated
---> Package libtiff.i386 0:3.8.2-14.el5_8 set to be updated
---> Package libxml2.i386 0:2.6.26-2.1.15.el5_8.2 set to be updated
---> Package nspr.i386 0:4.8.9-1.el5_8 set to be updated
---> Package nss.i386 0:3.13.1-5.el5_8 set to be updated
---> Package openssl.i686 0:0.9.8e-22.el5_8.3 set to be updated
---> Package popt.i386 0:1.10.2.3-28.el5_8 set to be updated
---> Package rpm.i386 0:4.4.2.3-28.el5_8 set to be updated
---> Package rpm-libs.i386 0:4.4.2.3-28.el5_8 set to be updated
---> Package rpm-python.i386 0:4.4.2.3-28.el5_8 set to be updated
---> Package tzdata.i386 0:2012b-3.el5 set to be updated
---> Package wget.i386 0:1.11.4-3.el5_8.1 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                    Arch    Version                    Repository  Size
================================================================================
Installing:
 kernel                     i686    2.6.18-308.4.1.el5         updates     19 M
Updating:
 coreutils                  i386    5.97-34.el5_8.1            updates    3.6 M
 device-mapper-multipath    i386    0.4.7-48.el5_8.1           updates    2.9 M
 freetype                   i386    2.2.1-31.el5_8.1           updates    312 k
 glibc                      i686    2.5-81.el5_8.2             updates    5.3 M
 glibc-common               i386    2.5-81.el5_8.2             updates     16 M
 gnutls                     i386    1.4.1-7.el5_8.2            updates    351 k
 kpartx                     i386    0.4.7-48.el5_8.1           updates    428 k
 libgcrypt                  i386    1.4.4-5.el5_8.2            updates    251 k
 libpng                     i386    2:1.2.10-17.el5_8          updates    241 k
 libtiff                    i386    3.8.2-14.el5_8             updates    308 k
 libxml2                    i386    2.6.26-2.1.15.el5_8.2      updates    797 k
 nspr                       i386    4.8.9-1.el5_8              updates    121 k
 nss                        i386    3.13.1-5.el5_8             updates    1.1 M
 openssl                    i686    0.9.8e-22.el5_8.3          updates    1.5 M
 popt                       i386    1.10.2.3-28.el5_8          updates     76 k
 rpm                        i386    4.4.2.3-28.el5_8           updates    1.2 M
 rpm-libs                   i386    4.4.2.3-28.el5_8           updates    929 k
 rpm-python                 i386    4.4.2.3-28.el5_8           updates     61 k
 tzdata                     i386    2012b-3.el5                updates    766 k
 wget                       i386    1.11.4-3.el5_8.1           updates    582 k

Transaction Summary
================================================================================
Install       1 Package(s)
Upgrade      20 Package(s)

Total download size: 56 M
    etc.

    and at the end new date:
    Code:
    --2012-04-28 01:17:00--  http://192.168.0.1/empty
Connecting to 192.168.0.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10 [text/plain]
Saving to: `/etc/firstboot'

     0K                                                       100% 1.14M=0s

2012-04-28 01:17:00 (1.14 MB/s) - `/etc/firstboot' saved [10/10]

--2012-04-28 01:17:00--  [url]http://192.168.0.1/ks/00-22-64-34-75-fb-net[/url]
Connecting to 192.168.0.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 315 [text/plain]
Saving to: `/etc/sysconfig/network-scripts/tmp.ifcfg-eth0'

     0K                                                       100% 35.8M=0s

2012-04-28 01:17:00 (35.8 MB/s) - `/etc/sysconfig/network-scripts/tmp.ifcfg-eth0' saved [315/315]

--2012-04-28 01:17:00--  [url]http://192.168.0.1/ks/00-22-64-34-75-fb-route6[/url]
Connecting to 192.168.0.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 105 [text/plain]
Saving to: `/etc/sysconfig/network-scripts/tmp.route6-eth0'

     0K                                                       100% 15.6M=0s

2012-04-28 01:17:00 (15.6 MB/s) - `/etc/sysconfig/network-scripts/tmp.route6-eth0' saved [105/105]

--2012-04-28 01:17:00--  [url]http://192.168.0.1/cgi2/done.pl?noPXE=1[/url]
Connecting to 192.168.0.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/plain]
Saving to: `/dev/null'

     0K                                                         608K=0s

2012-04-28 01:17:01 (608 KB/s) - `/dev/null' saved [4]

/tmp/ks-script-NhuzyO: line 36: fg: no job control

    Is this script of WHM or something else?
    p.s: i don`t have network 192.168.x.x

    Thank you.
     
    #1 vmicovic, Jun 30, 2012
    Last edited: Jun 30, 2012
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,622
    Likes Received:
    24
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    What does /etc/firstboot file show? This isn't a WHM script, but given it's doing things for IPv6 IP addresses, it might have been done by your datacenter, NOC or provider when they setup the machine.

    Of note, ks-script typically refers to kickstart script for setting up a machine on first boot.
     
    #2 cPanelTristan, Jun 30, 2012
  3. vmicovic

    vmicovic Well-Known Member

    Joined:
    Sep 4, 2007
    Messages:
    95
    Likes Received:
    0
    Trophy Points:
    56
    i don`t have firstboot in etc, i have in /etc/syconfig and contain:
    I will contact DC, thank you for your help.


    Br.
     
    #3 vmicovic, Jun 30, 2012
(You must log in or sign up to post here.)
Loading...
Similar Threads - Strange script
  1. Rodrigo Gomes

    Very strange IP ( 0.0.0.4) making many connections

    Rodrigo Gomes, Jun 24, 2017 at 1:02 PM, in forum: Security
    Replies:
    2
    Views:
    73
    cPanelMichael
    Jun 27, 2017 at 10:30 AM
  2. schatzman

    Something very strange with php.ini load setting..

    schatzman, Jun 15, 2017, in forum: General Discussion
    Replies:
    3
    Views:
    50
    cPanelMichael
    Jun 15, 2017
  3. Richard Copestake

    Strange cPanel / DNS issues

    Richard Copestake, Apr 20, 2017, in forum: Bind / DNS / Nameserver Issues
    Replies:
    9
    Views:
    170
    cPanelMichael
    May 4, 2017
  4. Husseincak

    SOLVED Strange "MySQL" error that consumes my entire CPU

    Husseincak, Mar 16, 2017, in forum: Database Discussions
    Replies:
    4
    Views:
    271
    cPanelMichael
    Mar 17, 2017
  5. PhilYonge

    Apache Configuration Strange Behaviour

    PhilYonge, Feb 16, 2017, in forum: EasyApache
    Replies:
    1
    Views:
    189
    cPanelMichael
    Feb 17, 2017

Share This Page