The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Suspicious File Alert

Discussion in 'General Discussion' started by Fakher, Oct 10, 2010.

  1. Fakher

    Fakher Member

    Joined:
    Sep 29, 2010
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Pakistan
    Suspicious File Alert - /tmp/backs

    Hi all,

    I have started to receive emails from my server like a week ago about suspicious file running on my server. This is an example email sent to me by CSF.

    lfd on Phoenix.offshoredns.net: Suspicious File Alert

    Time: Sun Oct 10 14:10:47 2010 +0400
    File: /tmp/bds
    Reason: Binary executable
    Owner: hostingp:hostingp (937:933)
    Action: No action taken

    Time: Sun Oct 10 15:11:01 2010 +0400
    File: /tmp/backs
    Reason: Script, starts with #!
    Owner: hostingp:hostingp (937:933)
    Action: No action taken



    Its a trojan i tried to delete it but it comes back again...
    what to do?

    Please advise....

    Regards
    Fakher
     
    #1 Fakher, Oct 10, 2010
    Last edited: Oct 10, 2010
  2. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    one of your users has a vulnerable php script

    if you are running suphp see what user it ls


    ls -l /tmp/bds
     
  3. Fakher

    Fakher Member

    Joined:
    Sep 29, 2010
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Pakistan
    i have terminated the user....
    still getting alerts....

    how to remove these things now?

    Regards
    Fakher
     
  4. Fakher

    Fakher Member

    Joined:
    Sep 29, 2010
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Pakistan
  5. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello Fakher,

    If you've already removed all files in /tmp that was owned by hostingp, then you might want to see if there are any processes still running for that user on the system:

    Code:
    ps aux|grep hostingp
    Otherwise, run a find for any files and folders still owned by that user, although it would be strange for the user to own anything if they are terminated:

    Code:
    find / -user hostingp
    Please note that a find of this nature is going to take a long time to process.

    Please do check the user is actually terminated:

    Code:
    grep hostingp /etc/passwd
    grep hostingp /etc/group
     
Loading...

Share This Page