The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

user nobody running bash and inetd

Discussion in 'General Discussion' started by CamronFry, Apr 6, 2005.

  1. CamronFry

    CamronFry BANNED

    Joined:
    Jan 1, 2005
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    0
    The user nobody is running bash and inetd:
    21:38:00 nobody 31584 75.7 0.0 0.19 inetd
    21:38:00 nobody 31583 75.0 0.0 0.19 -bash

    How could nobody be running that?
     
  2. btrieve

    btrieve Well-Known Member
    PartnerNOC

    Joined:
    Mar 20, 2002
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    Likely binaries named that way as a disguise, you may find them in /var/tmp or /tmp -- a php script is likely executing them resulting in the user nobody being the pid owner.

    I would highly suggest removing /var/tmp, creating a symlink from /tmp to /var/tmp and then remounting /tmp with noexec.
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yup. You should also make sure that all you phpBB installations are running v2.0.13 (use the Addon Script Manager installable within WHM) and install mod_security as well as cleaning up the exploits and killing off all the exploit processes. As it is, they're probably running IRC bots and sending out spam.

    In addition to the advice from btrieve, you should also secure /dev/shm noexec as that is being used more and more now.
     
  4. SloanPeterson

    SloanPeterson Member

    Joined:
    Mar 21, 2005
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    How do I secure /dev/shm noexec?
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You need to edit /etc/fstab and modify the /dev/shm configuration line to use the noexec,nosuid mount directives, then:

    umount /dev/shm
    mount -a
     
Loading...

Share This Page