The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

URGENT: Please Read

Discussion in 'General Discussion' started by abusedreality, Sep 2, 2003.

  1. abusedreality

    abusedreality Well-Known Member

    Joined:
    Apr 15, 2003
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    I have some strange processes running on my server, they are very suspicous and running as nobody.

    Does anyone remember them, here are just a few.

    ./massossl80443181241
    ./mass200.53.*.*
    ./v66.246.89.133445139
    ./scan20013984240

    They are using a ton of cpu

    Please let me know

    Thankyou

    cPanel.net Support Ticket Number:
     
  2. DHL

    DHL Well-Known Member

    Joined:
    Mar 8, 2002
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    6
    Look in /tmp or /var/tmp they could be there.

    Or if you get the PID from ps just cd /proc/PID (PID being the process number) and ls -l and that will tell you where they are being run from.

    cPanel.net Support Ticket Number:
     
  3. Doctor

    Doctor Well-Known Member

    Joined:
    Apr 26, 2003
    Messages:
    180
    Likes Received:
    0
    Trophy Points:
    16



    How do you find these strange processes? My CPU load average is getting very high (10.0 to 30.0) and I am suspecting that I might be having what you have.

    cPanel.net Support Ticket Number:
     
  4. xsenses

    xsenses Well-Known Member

    Joined:
    Aug 29, 2002
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Huntington Beach, Ca
    In WHM Under System Health click on "Show Current CPU Usage" or via ssh type top.
     
  5. H2Hosting.com

    H2Hosting.com Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    80% that your server was hacked

    cPanel.net Support Ticket Number:
     
  6. rusko

    rusko Member

    Joined:
    Nov 20, 2002
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    these programs are scanners - they scan networks for vulnerable versions of apache/openssl in order to exploit them. do a find, locate the account and remove the files. have a look through the apache access logs to find out how the attacker managed to upload the files - if it is not the user that actually owns the account, the scripts have most likely been uploaded through a vulnerability in something like phpnuke.

    paul

    cPanel.net Support Ticket Number:
     
Loading...

Share This Page