The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What kind of hack is this...???

Discussion in 'General Discussion' started by bhznat, Nov 2, 2005.

  1. bhznat

    bhznat Active Member

    Joined:
    Jun 2, 2004
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    I have found some files on /tmp named like /tmp/dos-xxx.xxx.xxx.xxx where xxx.xxx.xxx.xxx is an out ip. In these files is just a number, I think a counted value. I think this is ip of a victim, that has been attacked by our box, but how?

    I have suexec & phpsuexec installed, then owner of all files on /tmp is defined. But how can an script use nobody to execute? I think it is impossible with phpsuexec, except direct code executing throught browser. I wonder how? maybe a phpBB exploit or so? ok, but how can I prevent this to repeat again?

    I have not found any log to show me that how these files created and accessed.
    If be fair, I dont know how exactly use egrep to find a record related to this issue.

    Any idea may help me & others to find a solution for this issue.

    Thanks.
     
    #1 bhznat, Nov 2, 2005
    Last edited: Nov 2, 2005
  2. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Those are actually IP's that have been found by the apache module dos-evasive to be potentially trying to DOS your server. dos-evasive blocks the IP temporarily to try to avoid the DOS from happening.

    http://nanoweb.si.kz/manual/mod_dosevasive.html
     
  3. bhznat

    bhznat Active Member

    Joined:
    Jun 2, 2004
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    WOW, nice.
    For this I must say thank you so much, David.

    I think this is not documented any where, becuase I found nothing with googling this.

    Regards,
     
  4. sh4ka

    sh4ka Well-Known Member

    Joined:
    May 12, 2005
    Messages:
    442
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    US
    cPanel Access Level:
    DataCenter Provider
    is there a problem if the main server IP is included in one of those files ?
     
  5. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
Loading...

Share This Page