The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

what is /usr/bin/perl -w hnc.cgi

Discussion in 'Security' started by moinkhan31, Dec 5, 2008.

  1. moinkhan31

    moinkhan31 Member

    Joined:
    May 18, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    When i was running top -cd2 command following scripts are taking high cup uses on server. But when we are go home directory we didn't find any thing.

    24489 "User Name" 20 0 6732 5084 1164 S 8.0 0.2 11:00.69 /usr/bin/perl -w hnc.cgi
    26456 "User Name" 20 0 6876 5080 1164 S 8.0 0.2 7:23.47 /usr/bin/perl -w hnc.cgi
    32569 "User Name" 20 0 6748 5056 1164 S 7.5 0.2 8:57.30 /usr/bin/perl -w hnc.cgi

    Could you please update us why this script are running under some particular users and what the application of this script.
     
  2. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    SSH
    locate hnc.cgi
    and check it out!!

    Looks like it is a r57 shell hack, your server might be compromised.
    Google "/cgi-bin/hnc.cgi" (leave the quotes in the search) you will see what I mean.
     
    #2 rhenderson, Dec 5, 2008
    Last edited: Dec 5, 2008
  3. moinkhan31

    moinkhan31 Member

    Joined:
    May 18, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    I know how to locate this file, but i want what application of this script.
     
  4. jpetersen

    jpetersen Well-Known Member

    Joined:
    Dec 31, 2006
    Messages:
    113
    Likes Received:
    4
    Trophy Points:
    18
    Search these forums for: hnc.cgi

    and check my posts in the thread titled: Malicious Script hnc.cgi ?
     
    rhenderson likes this.
  5. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    The application is a hacker file for spamming other systems, get rid of it before you get blacklisted!!
     
  6. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    Good post, gave you a reputation for that!!
     
  7. stdout

    stdout Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    189
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Nelspruit, Mpumalanga, South Africa
    cPanel Access Level:
    Root Administrator
    If you spot this type of behaviour again, what I suggest doing is checking out the process' environmental variables.
    eg. cat /proc/24489/environ | tr "\00" "\n"

    You are interested in the PWD section. This is how you can track it most malicious processes.
     
  8. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    Very nice I learn something in here everyday :D
     
  9. stdout

    stdout Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    189
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Nelspruit, Mpumalanga, South Africa
    cPanel Access Level:
    Root Administrator
    Glad you liked it. It's a useful way to track processes which are being sneaky -
    spoofed process name, ect.
     
  10. moinkhan31

    moinkhan31 Member

    Joined:
    May 18, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    Its really nice.

    Thank you
     
Loading...

Share This Page