The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Warning: those who had upgrade to WHM 10.6.0 cPanel 10.6.0-R55 . Please check.

Discussion in 'General Discussion' started by gundamz, Aug 27, 2005.

  1. gundamz

    gundamz Well-Known Member

    Joined:
    Mar 27, 2002
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    WHM 10.6.0 cPanel 10.6.0-R55
    RedHat Enterprise 3 i686 - WHM X v3.1.0

    For all who had running on WHM 10.6.0 cPanel 10.6.0-R55 and server with RedHat Enterprise 3 i686

    Please do this:

    cd /var/spool
    ls -l


    did you get something like this?

     
  2. gundamz

    gundamz Well-Known Member

    Joined:
    Mar 27, 2002
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    If you are using the above OS and cpanel release and having no problem, please report too.
    Thanks.
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That might suggest that you have suffered a root compromise, though it may only be a script compromise at this stage (though users should not have write access to /var/spool). You're going to have to determine how the hackers got in and what damage, if any, has been done. If you don't know how to do that, either contact your datacentre or hire someone who does.
     
  4. gundamz

    gundamz Well-Known Member

    Joined:
    Mar 27, 2002
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    Hi Jon,

    Unfortunately,

    the spool is being set as non-writable

    drwxr-xr-x 17 root root 4096 Aug 24 11:57 spool/



    i had compare with other servers.
    They are of the same permission.
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Which further suggests a possible root compromise.
     
  6. gundamz

    gundamz Well-Known Member

    Joined:
    Mar 27, 2002
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Odd indeed. Without actually seeing a server in that state I'd still err on the side of concern as to what's going on.
     
  8. gundamz

    gundamz Well-Known Member

    Joined:
    Mar 27, 2002
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    Anyone having similar problem?
     
  9. abused1

    abused1 Member

    Joined:
    Jan 19, 2003
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    We did cpanel updates on about 100 boxes 5 of the boxes had the same issue, right after the update.

    today one of the 5 had the root password changed on the box. no signs of root kits or anything.if anyone has any helpful information, please let us know.
     
  10. -jdk-

    -jdk- Well-Known Member

    Joined:
    Aug 28, 2005
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    Mine doesn't say that at all and I have the same setup.
     
Loading...

Share This Page