The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

what is "m1ho2of" ?

Discussion in 'General Discussion' started by iCARus, Dec 22, 2004.

  1. iCARus

    iCARus Well-Known Member

    Joined:
    Apr 8, 2003
    Messages:
    113
    Likes Received:
    0
    Trophy Points:
    16
    Hi..

    Anyone knows what is "perl m1ho2of " service ? I was geting small big load and if i make top and (Ctrl+M) i get:

    6306 mysql 15 0 56764 55M 1624 S 3.7 2.7 47:50 1 mysqld
    1312 root 36 19 27400 24M 1692 S N 0.0 1.2 3:14 0 cpanellogd
    28123 root 15 0 10396 10M 1172 S 0.0 0.5 0:33 1 clamd
    20755 root 15 0 8868 8048 4604 S 3.3 0.3 83:54 1 httpd
    5825 named 25 0 6208 4884 1548 S 0.0 0.2 1:43 1 named
    4677 root 21 0 3396 3396 1560 S 0.0 0.1 0:00 1 leechprotect
    1287 mailnull 15 0 4016 2904 1592 S 0.0 0.1 0:26 1 eximstats
    1317 root 17 0 4424 2824 1336 S 0.0 0.1 1:29 0 cppop
    1350 mailman 15 0 5168 2704 1760 S 0.0 0.1 0:45 0 python2
    5006 nobody 15 0 2704 2704 1516 S 0.0 0.1 0:10 1 perl
    6529 nobody 15 0 2704 2704 1516 S 0.0 0.1 0:07 1 perl
    23046 nobody 15 0 2692 2692 1516 S 0.0 0.1 0:06 0 perl

    If i make "ps -aux" i get:

    nobody 6529 0.0 0.1 6008 2704 ? S Dec22 0:07 perl m1ho2of
    nobody 23045 0.0 0.0 0 0 ? Z Dec22 0:00 [perl <defunct>]
    nobody 23046 0.0 0.1 6004 2692 ? S Dec22 0:06 perl m1ho2of
    ...
    lots of those ...

    Anyone knows what is this ? I was search on Google and with no success.

    Thanks.
     
  2. GOT

    GOT Get Proactive!

    Joined:
    Apr 8, 2003
    Messages:
    900
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Norfolk, VA
    cPanel Access Level:
    DataCenter Provider
    I would look for a file of that name on your server.
     
  3. DigiCrime

    DigiCrime Well-Known Member

    Joined:
    Nov 27, 2002
    Messages:
    399
    Likes Received:
    0
    Trophy Points:
    16
    means someones site was defaced. Ive seen it several times past few days.

    ls -l /proc/6529

    ls -l /proc/23046

    See where they are running from.
     
  4. big

    big Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    224
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Earth
  5. iCARus

    iCARus Well-Known Member

    Joined:
    Apr 8, 2003
    Messages:
    113
    Likes Received:
    0
    Trophy Points:
    16
    Ok. Thanks.
    I was found that all proceses are for only one user on server and forum still works. So, i how i delete or cleen this worm from system ? Anyone knows ?

    Regards.
     
    #5 iCARus, Dec 23, 2004
    Last edited: Dec 23, 2004
  6. EDevil

    EDevil Member

    Joined:
    Feb 17, 2004
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Well. I think you just need to upgrade PHP and phpBB to versions not vulnerable to the latest security holes and kill the m1ho2of processes.

    Then restore the .php and .htm defaced in your system.
     
  7. fikse

    fikse Well-Known Member

    Joined:
    May 10, 2003
    Messages:
    112
    Likes Received:
    0
    Trophy Points:
    16

Share This Page