The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

suspicious files in /tmp hack ?

Discussion in 'General Discussion' started by erik@delphi, May 2, 2007.

  1. erik@delphi

    erik@delphi Well-Known Member

    Joined:
    Jul 9, 2005
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Belgium
    hi folks,

    In my server's /tmp directory i found three suspicious files with verry weird names.

    I whas verry suspicious about them and run the nobody_check security tool from webhostgear.com and it reported this

    And WHM whas complaining to me i should disable compilers.I am 99% sure i did that as i use csf provided by chirpy here.So the question is

    • who enabled compilers ?
    • who started that mailicious process ?

    so far i killed that process and entropychat is disabled.My server is also cronned to run the nobody_check tool every 5 minutes.It is not a root comprimize otherwise the damage would been much larger can't find anything about entropychat in my logs either

    some advice will be appriciated

    :(
     
  2. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    It's never good to assume you weren't rooted. Especially if compilers were active after you de-activated them and you didn't do it. That throws up a red flag for me.

    Run RKhunter and Chkrootkit to see if they find anything. Grab a port and/or process monitor (check out rfxnetworks.com) to make sure nothing is opening ports or running without you knowing about it. Use nmap and netstat to check over ports as well, make sure no one has a back door open. Grep your logs to see if you can see a point of entry or anything else that might indicate they have root. Watch for high load periods, you could install a load monitoring script as well that reports what's driving up load.

    Hope that helps!
     
  3. katmai

    katmai Well-Known Member

    Joined:
    Mar 13, 2006
    Messages:
    526
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brno, Czech Republic
    vb5une5x
    vbEHwo3v
    vbiQi8Ze

    usually are temporary php files. entropychat should be disabled. dunno why cpanel doesnt pull it out.

    you're not hacked.
     
  4. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Thought OP said entropy had already been disabled, and the compilers suddenly being wr again is puzzling. If this is the case, still throws up red flags in my mind and I would still run the scans to be certain. Never hurts to be cautious. :)
     
  5. erik@delphi

    erik@delphi Well-Known Member

    Joined:
    Jul 9, 2005
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Belgium
    yes i did compilers are not active this happend after i got notified about the new csf release (i am subscrided to there blog)and upgraded that's when things got suspicious it seems to be all normal again after i killed the process .I do have rkhunter and ChkRootKit but they didn't find anything.Open ports do not show me anything suspicious but i'm still watching .....

    thanks folks for the help ....
     
Loading...

Share This Page