Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

URGENT: Please Read

Discussion in 'General Discussion' started by abusedreality, Sep 2, 2003.

  1. abusedreality

    abusedreality Well-Known Member

    Joined:
    Apr 15, 2003
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    156
    I have some strange processes running on my server, they are very suspicous and running as nobody.

    Does anyone remember them, here are just a few.

    ./massossl80443181241
    ./mass200.53.*.*
    ./v66.246.89.133445139
    ./scan20013984240

    They are using a ton of cpu

    Please let me know

    Thankyou

    cPanel.net Support Ticket Number:
     
  2. DHL

    DHL Well-Known Member

    Joined:
    Mar 8, 2002
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    306
    Look in /tmp or /var/tmp they could be there.

    Or if you get the PID from ps just cd /proc/PID (PID being the process number) and ls -l and that will tell you where they are being run from.

    cPanel.net Support Ticket Number:
     
  3. Doctor

    Doctor Well-Known Member

    Joined:
    Apr 26, 2003
    Messages:
    180
    Likes Received:
    0
    Trophy Points:
    166



    How do you find these strange processes? My CPU load average is getting very high (10.0 to 30.0) and I am suspecting that I might be having what you have.

    cPanel.net Support Ticket Number:
     
  4. xsenses

    xsenses Well-Known Member

    Joined:
    Aug 29, 2002
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Huntington Beach, Ca
    In WHM Under System Health click on "Show Current CPU Usage" or via ssh type top.
     
  5. H2Hosting.com

    H2Hosting.com Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    316
    80% that your server was hacked

    cPanel.net Support Ticket Number:
     
  6. rusko

    rusko Member

    Joined:
    Nov 20, 2002
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    151
    these programs are scanners - they scan networks for vulnerable versions of apache/openssl in order to exploit them. do a find, locate the account and remove the files. have a look through the apache access logs to find out how the attacker managed to upload the files - if it is not the user that actually owns the account, the scripts have most likely been uploaded through a vulnerability in something like phpnuke.

    paul

    cPanel.net Support Ticket Number:
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice