Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

what is /usr/bin/perl -w hnc.cgi

Discussion in 'Security' started by moinkhan31, Dec 5, 2008.

  1. moinkhan31

    moinkhan31 Member

    Joined:
    May 18, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    151
    Hello,

    When i was running top -cd2 command following scripts are taking high cup uses on server. But when we are go home directory we didn't find any thing.

    24489 "User Name" 20 0 6732 5084 1164 S 8.0 0.2 11:00.69 /usr/bin/perl -w hnc.cgi
    26456 "User Name" 20 0 6876 5080 1164 S 8.0 0.2 7:23.47 /usr/bin/perl -w hnc.cgi
    32569 "User Name" 20 0 6748 5056 1164 S 7.5 0.2 8:57.30 /usr/bin/perl -w hnc.cgi

    Could you please update us why this script are running under some particular users and what the application of this script.
     
  2. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    1
    Trophy Points:
    166
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    SSH
    locate hnc.cgi
    and check it out!!

    Looks like it is a r57 shell hack, your server might be compromised.
    Google "/cgi-bin/hnc.cgi" (leave the quotes in the search) you will see what I mean.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 rhenderson, Dec 5, 2008
    Last edited: Dec 5, 2008
  3. moinkhan31

    moinkhan31 Member

    Joined:
    May 18, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    151
    Hello,

    I know how to locate this file, but i want what application of this script.
     
  4. jpetersen

    jpetersen Well-Known Member

    Joined:
    Dec 31, 2006
    Messages:
    113
    Likes Received:
    4
    Trophy Points:
    168
    Search these forums for: hnc.cgi

    and check my posts in the thread titled: Malicious Script hnc.cgi ?
     
    rhenderson likes this.
  5. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    1
    Trophy Points:
    166
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    The application is a hacker file for spamming other systems, get rid of it before you get blacklisted!!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    1
    Trophy Points:
    166
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    Good post, gave you a reputation for that!!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. stdout

    stdout Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    189
    Likes Received:
    6
    Trophy Points:
    168
    Location:
    Nelspruit, Mpumalanga, South Africa
    cPanel Access Level:
    Root Administrator
    If you spot this type of behaviour again, what I suggest doing is checking out the process' environmental variables.
    eg. cat /proc/24489/environ | tr "\00" "\n"

    You are interested in the PWD section. This is how you can track it most malicious processes.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    1
    Trophy Points:
    166
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    Very nice I learn something in here everyday :D
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. stdout

    stdout Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    189
    Likes Received:
    6
    Trophy Points:
    168
    Location:
    Nelspruit, Mpumalanga, South Africa
    cPanel Access Level:
    Root Administrator
    Glad you liked it. It's a useful way to track processes which are being sneaky -
    spoofed process name, ect.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. moinkhan31

    moinkhan31 Member

    Joined:
    May 18, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    151
    Hello,

    Its really nice.

    Thank you
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice