The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Suspiscious Files & Folders

Discussion in 'General Discussion' started by joemon, Feb 26, 2009.

  1. joemon

    joemon Member

    Joined:
    Feb 7, 2008
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    I could find some strange files & folder in the server at the following location:
    /usr/local/lp

    $ ls
    ./ ../ apps/ configs/ etc/ htdocs/ jakarta/ libs/ logs/ rpmver/ scripts/ share/ temp/ tmp/ var/

    It contains an virtual host configuration file at following location:

    $ cat /usr/local/lp/configs/httpd/vhost.conf

    # This VirtualHost serves as an access point for monitoring scripts
    # and other things used to ensure the well-being of your server.
    #
    # Please do not remove this VirtualHost entry unless absolutely necessary.
    #
    # This configuration file is generated from values stored in the file
    # '/usr/local/lp/configs/httpd/prefs.cfg'.
    #
    # To make changes, edit that file and regenerate the VirtualHost by running
    # '/usr/local/lp/apps/http/generatelpvhost'.
    #
    # To make changes outside of the scope of the configuration provided, edit
    # the custom include file - '/usr/local/lp/configs/httpd/custom.conf'.
    #
    # To disable this VirtualHost, touch the following file, and then
    # regenerate the VirtualHost:
    # /usr/local/lp/var/disablelpvhost
    #
    # To prevent automated changes to this VirtualHost, touch the following
    # file:
    # /usr/local/lp/var/staticlpvhost
    #
    NameVirtualHost X.X.X.X:80
    <VirtualHost X.X.X.X>
    ServerName servxxxxx.sn.sourcedns.com
    ServerAlias www.servxxxxx.sn.sourcedns.com
    ServerAdmin webmaster@sourcedns.com
    DocumentRoot /usr/local/lp/htdocs/
    CustomLog /usr/local/lp/logs/httpd/servxxxxx.sn.sourcedns.com combined
    ScriptAlias /cgi-bin/ /usr/local/lp/htdocs/cgi-bin/
    User systuser
    Group systuser
    </VirtualHost>

    It seems that it includes all the apache files except the apache binary. The path to this virtual host file has then been included in the main apache configuration file.

    It seems that the attacker has got hold of the server root password. Can I make the server safe by just changing the server root password & then deleting the above files ? Has anyone seen something like this before ? Please let me know a solution to this issue...
     
    #1 joemon, Feb 26, 2009
    Last edited: Feb 26, 2009
  2. vant

    vant Registered

    Joined:
    Feb 24, 2009
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Virtualhost

    Hi,

    By default in httpd.conf file virutalhost parameters is blank, now if you have created a virtualhost config then take a look at it clearly it might be yours. But if that configuration is not really yours then it is an indication that the server was hacked. Changing the root password may help and deleting that virtualhost config. Additionally, check the services that are running on your machine and take a look at the logs.

    Hope this may help you.
     
  3. joemon

    joemon Member

    Joined:
    Feb 7, 2008
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Hi

    Vant.. Thanks for the reply. Anyway I have raised a ticket to cPanel support for investigating more into this.
     
  4. Dhaupin

    Dhaupin Member

    Joined:
    Jan 3, 2014
    Messages:
    20
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hi i know this is really really really old, but i believe you are looking at a Liquidweb inclusion. You can tell because of the sourcedns lines. I ran into this dir today as well on one of their VPS's having issues with a mysterious mod_zeus conf inclusion....lowandbehold the ips set for load balancer ips were liquidweb ranges. In the case of today the zeus module wasnt even there, not sure how the conf was created. There is a wildcard inclusion from post on the main httpd.conf into /usr/local/lp/configs/httpd/conf.d/*. Kinda funky, but regardless, I don't think a "hacker" made the folder in the first example in this thread - its something Liquidweb uses.

    EDIT: upon further digging, it is indeed auto updated folder area....as in they dont need to login to drop files, at least now in moderner 2015 times. If anyone runs into this, check your crontab. You may see it reference /usr/local/lp/apps/lp-autoupdate.sh. Im thinking this autoupdate mitigated the conf, loading a module {zeus} which was needed for load balance real ip's, but wasnt on the VPS. Some other things updated here are there sonar monitoring, some VPS/grub logs, blacklists, rootkit checks, etc.
     
    #4 Dhaupin, Oct 23, 2015
    Last edited: Oct 23, 2015
Loading...

Share This Page