The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Trojan?

Discussion in 'General Discussion' started by welo, Dec 8, 2003.

  1. welo

    welo Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    71
    Likes Received:
    0
    Trophy Points:
    6
    Tonight I received an email identical to what THIS GUY got (with a different pid). Not really knowing what to do I moved/renamed the whole /sdk386/ dir and downloaded it. Attached is a zip of what it contains.

    The #sk# file was somehow created when I used emacs to see what was inside sk. I can't really tell what this thing was compiled in, although I have a hunch it's C. Can someone please confirm whether this is a trojan, and where else I might need to look for trapdoor stuff I might have accidentally inspired?

    The new kernel was only released a few days ago, so if I'm compromised due to this they sure were fast (yes I have updated it). Offhand I don't see anything weird in the logs either.

    Thanks.
     

    Attached Files:

  2. welo

    welo Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    71
    Likes Received:
    0
    Trophy Points:
    6
    Well, following up...

    I have been unable to identify the exact worm used for this, although it looks similar to what is described here. It's possible I caught it before it could do any real damage but there's no way to be sure without spending days going through files and logs. the easiest option is to backup and reformat.

    Incidentally, it looks like this thing was installed by a script someone uploaded to the CPanel demo account. That's the last time I'll be using one of those. The script is attached.
     

    Attached Files:

  3. welo

    welo Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    71
    Likes Received:
    0
    Trophy Points:
    6
    I'm holding off on reimaging the box momentarily since it looks like I may have caught this before someone could compile it. Apparently it attempts to create a user called 'shitdown', so look for that. If you don't find one you could be safe.

    I don't know what disappoints me more: That the cPanel demo allows this type of exploit, that I never thought to test FTP/SSH of the demo account before, or that some people have nothing better to do.

    Anyway, since my server is running RH 7.3 I'll prolly have to reformat soon enough.
     
  4. dhabets

    dhabets Well-Known Member

    Joined:
    Dec 31, 2001
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    sure it does... and you had an insecure kernel, that sitll doesn't mean that was how your server was compromised...
     

Share This Page