The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

URGENT! Been hacked! Need Help.

Discussion in 'General Discussion' started by phantom, Dec 17, 2003.

  1. phantom

    phantom Well-Known Member

    Joined:
    Sep 17, 2002
    Messages:
    123
    Likes Received:
    0
    Trophy Points:
    16
    Hi,
    I just found psyBCN and counterstricke installed in my /tmp/ directory. I've deleted them both but there are other things listed in the tmp directory but I dont know what they are.
    I've changed the root password to something very hard to figure out. Here are other items listed in my tmp directory. Can someone tell me what some of these things are and if they can be deleted?

    ./
    mysql.sock@
    sess_923083e0a4a77d10e4a84b7b393b085a
    ../
    .pacote/
    sess_b0e05494ddebb52069d8b57f0275dfb0
    508c01683fc5d81381670-xFZI4S

    sess_13d10d9972ae5077bf8687b6dc597062
    sess_b5c8d8f938af0471fe7bb1696a8abb5a

    .bat/
    sess_2341cc2aa28746333a118355c58ef331
    sess_c2a346d31ce23ad8ae7f21f22da17b25

    co1*
    sess_2e5f0b78ae18f26b0286ad41babd0706
    sess_cc470250c12f07e45f8c838d660dbe32

    .fmi/
    sess_5c382a8949dadcca96a832c72bb7f89e
    sess_d8090c9a89379b7be0f6f51d28dc7499

    .font-unix/
    sess_5d1a4c7559650ac2b844a78e57abef7e
    sess_e1a7d6024482e0080db91c2ffff0d038

    horde.log
    sess_765b2c8b67ab455c5dd55d38e9f4d45a
    sess_e38250479904266e15eafcbc30801b28

    impattDJcC8h
    sess_7b29c75b63fffaf7a57af7ba38be5793
    sess_eaff39fc954bc8b4b70b133b89b4f58f

    kmod*
    sess_7cb8d01e6f5a6c42858ca6f110bff955
    sess_ef47c2a6472bda4fa398b02c65a31527

    lost+found/ sess_8271628d61cbb6e9e75bb6da6ac7db86
    sess_fb99d58514d1d92b58990bfe92c659b2

    Thank you!
     
  2. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    mysql.sock, horde.log, and .font-unix are all fine, but I don't know what those others are.
     
  3. phantom

    phantom Well-Known Member

    Joined:
    Sep 17, 2002
    Messages:
    123
    Likes Received:
    0
    Trophy Points:
    16
    Here is what is in the .fmi directory

    me*
    me.c
    ptracee*
    telnetd*
    telnetd.1*
    udp*
     
  4. Angel78

    Angel78 Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    413
    Likes Received:
    1
    Trophy Points:
    16
    what kernel have you been using (and firewall) ?
     
  5. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    Having those files in /tmp doesn't mean you've been "hacked". There are lots of php and cgi scripts that will allow people to upload files to /tmp, without having "compromised" your box. Needless to say, you don't want those files there because someone can use them to attach other boxes. You need to find out how they were uploaded and stop it, as well as deleteing them. I'd delete those files in .fmi.

    The gallery module of Nuke is one php script that allows upload to /tmp.

    BTW you'll probably have bad files in /var/tmp too.
     
Loading...

Share This Page