Dear Anoop, Run /scripts/securetmp on the cpanel server to secure the /tmp partition. You would need to remount /tmp inorder to complete the process, the best would be to reboot the server once (i know you shouldn't be rebooting in linux to get changes effected, however trust me, i run and administer several cpanel servers, its better you reboot once).
Additionally do this to secure the permissions on the script chmod 000 /tmp/sh To disallow anyone from changing the permissions on the file (even root), do the following: chattr +i /tmp/sh This will dissallow even root to change permision of the file. I am recommending this since you say the file is auto created everytime you remove it. And then go through all the logs to find out where the file came from/ what process created the file. You can also run rootkit hunter to check for possible root kit on the server. -- regards, Anand Gupta CEO India Web Promoters 5/49, IInd Floor, Old Rajender Nagar New Delhi - 110060 India Mobile: +91-9810727986/ 9310727986 Phone: +91-11-25815437 Fax: +91-11-42432553 International Premier Partner - Network Solutions ----- Original Message ----- From: Anoop Alias To: This List discusses GNU/Linux &, GNU,GPL Software ; linux-bangalore-technical at yahoogroups.com Sent: Sunday, September 24, 2006 8:59 AM Subject: [Mailinglist] Hack in /tmp Sir's, Please help me with this.I have found the following vulnerable file in the /tmp directory of a cpanel server ==================================== /tmp]# pwd /tmp =================================================================== ll total 879 drwxrwxrwt 2 root root 268288 Sep 23 23:23 ./ drwx--x--x 25 root root 4096 Sep 23 21:21 ../ -rw-r--r-- 1 root root 332 Sep 23 23:19 MAIL-HOST lrwxrwxrwx 1 root root 30 Sep 23 23:23 mysql.sock -> ../../var/lib/mysql/mysql.sock= -rwsr-xr-x 1 root root 616248 Sep 23 23:23 sh* ======================================================================= The script sh is root owned and will be automagically recreated if deleted. The following is the ps output ========================================================================================== ps -efH UID PID PPID C STIME TTY TIME CMD root 1 0 0 Sep19 ? 00:00:01 init [3] root 2 1 0 Sep19 ? 00:00:06 [migration/0] root 3 1 0 Sep19 ? 00:00:00 [ksoftirqd/0] root 4 1 0 Sep19 ? 00:00:05 [migration/1] root 5 1 0 Sep19 ? 00:00:00 [ksoftirqd/1] root 6 1 0 Sep19 ? 00:00:00 [events/0] root 7 1 0 Sep19 ? 00:00:00 [events/1] root 8 1 0 Sep19 ? 00:00:00 [khelper] root 9 1 0 Sep19 ? 00:00:00 [kthread] root 12 9 0 Sep19 ? 00:00:00 [kacpid] root 92 9 0 Sep19 ? 00:00:00 [kblockd/0] root 93 9 0 Sep19 ? 00:00:00 [kblockd/1] root 96 9 0 Sep19 ? 00:00:00 [khubd] root 163 9 0 Sep19 ? 00:00:00 [pdflush] root 166 9 0 Sep19 ? 00:00:00 [aio/0] root 167 9 0 Sep19 ? 00:00:00 [aio/1] root 750 9 0 Sep19 ? 00:00:00 [kseriod] root 794 9 0 Sep19 ? 00:00:00 [scsi_eh_0] root 801 9 0 Sep19 ? 00:00:00 [ata/0] root 802 9 0 Sep19 ? 00:00:00 [ata/1] root 806 9 0 Sep19 ? 00:00:00 [scsi_eh_1] root 807 9 0 Sep19 ? 00:00:00 [scsi_eh_2] root 2790 9 0 Sep19 ? 00:00:00 [kauditd] root 31024 9 0 Sep20 ? 00:00:00 [pdflush] root 165 1 0 Sep19 ? 00:00:01 [kswapd0] root 856 1 0 Sep19 ? 00:00:01 [kirqd] root 859 1 0 Sep19 ? 00:00:03 [kjournald] root 2739 1 0 Sep19 ? 00:00:00 udevd root 2847 1 0 Sep19 ? 00:00:08 [kjournald] root 2848 1 0 Sep19 ? 00:00:02 [kjournald] root 2849 1 0 Sep19 ? 00:00:20 [kjournald] root 2850 1 0 Sep19 ? 00:00:03 [kjournald] root 3577 1 0 Sep19 ? 00:00:02 syslogd -m 0 root 3581 1 0 Sep19 ? 00:00:00 klogd -x root 3591 1 0 Sep19 ? 00:00:00 irqbalance root 3646 1 0 Sep19 ? 00:00:00 rpc.idmapd root 3714 1 0 Sep19 ? 00:00:00 /usr/sbin/acpid root 5209 1 0 Sep19 ? 00:00:00 cupsd root 5230 1 0 Sep19 ? 00:00:01 /usr/sbin/sshd root 27057 5230 0 22:47 ? 00:00:00 sshd: root at pts/0 root 27065 27057 0 22:47 pts/0 00:00:00 -bash root 5989 27065 0 23:25 pts/0 00:00:00 ps -efH root 5245 1 0 Sep19 ? 00:00:00 xinetd -stayalive -pidfile /var/run/xinetd.pid root 5263 1 0 Sep19 ? 00:00:02 chkservd mailnull 5329 1 0 Sep19 ? 00:00:01 /usr/sbin/exim -bd mailnull 5336 1 0 Sep19 ? 00:00:00 /usr/sbin/exim -C /etc/exim_outgoing.conf -q60m mailnull 5340 1 0 Sep19 ? 00:00:00 /usr/sbin/exim -tls-on-connect -bd -oX 465 root 5346 1 0 Sep19 ? 00:00:04 antirelayd root 5367 1 0 Sep19 ? 00:00:02 /usr/bin/spamd -d --allowed-ips= 127.0.0.1 --pidfile=/var/run/spamd.pid --ma root 6289 5367 0 Sep19 ? 00:00:15 spamd child root 21217 5367 0 Sep22 ? 00:00:00 spamd child root 5390 1 0 Sep19 ? 00:00:00 gpm -m /dev/input/mice -t exps2 root 5403 1 0 Sep19 ? 00:00:11 /usr/local/apache/bin/httpd -DSSL nobody 12509 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL nobody 12510 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL nobody 12511 5403 0 19:55 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL nobody 12512 5403 0 19:55 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL nobody 12513 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL nobody 12660 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL nobody 12661 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL nobody 12662 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL nobody 12663 5403 0 19:55 ? 00:00:03 /usr/local/apache/bin/httpd -DSSL nobody 12664 5403 0 19:55 ? 00:00:03 /usr/local/apache/bin/httpd -DSSL nobody 12665 5403 0 19:55 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL nobody 12666 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL nobody 12778 5403 0 19:55 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL nobody 12779 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL nobody 12780 5403 0 19:55 ? 00:00:03 /usr/local/apache/bin/httpd -DSSL nobody 12781 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL nobody 12782 5403 0 19:55 ? 00:00:03 /usr/local/apache/bin/httpd -DSSL nobody 12783 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL nobody 12784 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL nobody 12785 5403 0 19:55 ? 00:00:03 /usr/local/apache/bin/httpd -DSSL nobody 12790 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL nobody 12791 5403 0 19:55 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL nobody 12792 5403 0 19:55 ? 00:00:03 /usr/local/apache/bin/httpd -DSSL nobody 12793 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL nobody 12794 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL nobody 12795 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL nobody 12796 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL nobody 12797 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL nobody 12798 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL nobody 12799 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL nobody 12800 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL nobody 12801 5403 0 19:55 ? 00:00:03 /usr/local/apache/bin/httpd -DSSL nobody 12802 5403 0 19:55 ? 00:00:03 /usr/local/apache/bin/httpd -DSSL nobody 12803 5403 0 19:55 ? 00:00:03 /usr/local/apache/bin/httpd -DSSL nobody 12804 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL nobody 12805 5403 0 19:55 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL nobody 12806 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL nobody 12808 5403 0 19:55 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL nobody 12809 5403 0 19:55 ? 00:00:03 /usr/local/apache/bin/httpd -DSSL nobody 12810 5403 0 19:55 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL nobody 12811 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL nobody 14028 5403 0 19:57 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL nobody 14074 5403 0 19:57 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL nobody 14075 5403 0 19:57 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL nobody 14076 5403 0 19:57 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL nobody 16461 5403 0 20:06 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL nobody 23827 5403 0 20:19 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL nobody 30202 5403 0 20:33 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL nobody 30204 5403 0 20:33 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL nobody 30987 5403 0 20:37 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL nobody 358 5403 0 20:41 ? 00:00:03 /usr/local/apache/bin/httpd -DSSL nobody 14262 5403 0 21:43 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL nobody 14467 5403 0 21:43 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL nobody 15922 5403 0 21:47 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 19325 5403 0 22:00 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL nobody 19998 5403 0 22:03 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 25681 5403 0 22:35 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL nobody 26226 5403 0 22:41 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 27104 5403 0 22:47 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 30589 5403 0 23:02 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 30649 5403 0 23:04 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 31535 5403 0 23:06 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 569 5403 0 23:10 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 1412 5403 0 23:12 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 1910 5403 0 23:17 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 4294 5403 0 23:22 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 4295 5403 0 23:22 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 4392 5403 0 23:23 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 4393 5403 0 23:23 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5014 5403 0 23:24 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5681 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5682 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5683 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5684 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5685 5403 1 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5686 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5805 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5806 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5807 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5808 5403 0 23:25 ? 00:00:00 [httpd] <defunct> nobody 5809 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5810 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5811 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5812 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5813 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5814 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5815 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5816 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5817 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5818 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5820 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5821 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5822 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5823 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5824 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5825 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5826 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5827 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5828 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5829 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5831 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5832 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL nobody 5833 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL root 5411 1 0 Sep19 ? 00:00:02 crond root 5461 1 0 Sep19 ? 00:00:00 pure-ftpd (SERVER) root 5466 1 0 Sep19 ? 00:00:00 /usr/sbin/pure-authd -s /var/run/ftpd.sock -r /usr/sbin/pureauth xfs 5478 1 0 Sep19 ? 00:00:00 xfs -droppriv -daemon root 5496 1 0 Sep19 ? 00:00:00 /usr/sbin/atd cpanel 5687 1 0 Sep19 ? 00:00:00 /usr/bin/stunnel- 4.15local /usr/local/cpanel/etc/stunnel/default/stunnel.co dbus 5733 1 0 Sep19 ? 00:00:00 dbus-daemon-1 --system root 5752 1 0 Sep19 ? 00:00:02 hald root 5788 1 0 Sep19 ? 00:00:00 /usr/sbin/portsentry -tcp root 5903 1 0 Sep19 ? 00:00:20 cpanellogd - setting up logs for herecatc herecatc 16191 5903 0 Sep19 ? 00:00:00 cpanellogd - http logs for herecatc herecatc 31033 16191 0 Sep20 ? 00:00:00 /usr/local/cpanel/bin/logrunner 2.0 /usr/local/cpanel/3rdparty/bin/awst herecatc 31034 31033 0 Sep20 ? 00:04:51 /usr/bin/perl /usr/local/cpanel/3rdparty/bin/awstats.pl -config=herec root 5916 1 0 Sep19 ? 00:00:05 cppop - accepting on port 110 mailman 5932 1 0 Sep19 ? 00:00:00 /usr/bin/python /usr/local/cpanel/3rdparty/mailman/bin/mailmanctl -s start mailman 5957 5932 0 Sep19 ? 00:00:02 /usr/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=A mailman 5959 5932 0 Sep19 ? 00:00:02 /usr/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=B mailman 5960 5932 0 Sep19 ? 00:00:02 /usr/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=C mailman 5961 5932 0 Sep19 ? 00:00:02 /usr/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=I mailman 5962 5932 0 Sep19 ? 00:00:02 /usr/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=N mailman 5963 5932 0 Sep19 ? 00:00:02 /usr/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=O mailman 5964 5932 0 Sep19 ? 00:00:02 /usr/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=V mailman 5965 5932 0 Sep19 ? 00:00:00 /usr/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=R nobody 5970 1 0 Sep19 ? 00:00:00 /usr/local/cpanel/bin/startmelange nobody 5973 1 0 Sep19 ? 00:00:00 entropychat root 6007 1 0 Sep19 ? 00:01:15 /usr/local/bin/perl -w /usr/local/mrtg-2/bin/mrtg /etc/mrtg/mrtg.cfg root 6319 1 0 Sep19 ? 00:00:00 /usr/bin/perl -w /usr/sbin/psad root 6325 1 0 Sep19 ? 00:00:00 /usr/sbin/kmsgsd root 6327 1 0 Sep19 ? 00:00:01 /usr/sbin/psadwatchd named 6328 1 0 Sep19 ? 00:01:13 /usr/sbin/named -u named root 6336 1 0 Sep19 tty1 00:00:00 /sbin/mingetty tty1 root 6337 1 0 Sep19 tty2 00:00:00 /sbin/mingetty tty2 root 6338 1 0 Sep19 tty3 00:00:00 /sbin/mingetty tty3 root 6339 1 0 Sep19 tty4 00:00:00 /sbin/mingetty tty4 root 6340 1 0 Sep19 tty5 00:00:00 /sbin/mingetty tty5 root 6341 1 0 Sep19 tty6 00:00:00 /sbin/mingetty tty6 root 9531 1 0 21:22 ? 00:00:00 cpsrvd - waiting for connections root 32732 1 0 23:10 ? 00:00:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --pid-file=/var/lib/m mysql 32753 32732 0 23:10 ? 00:00:06 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid- =============================================================================================== Any pointers will be greatly appreciated Thanks in advance -- Anoop.P.Alias Y! anoopalias01 I power Blogger:http://anoop-log.blogspot.com Knowledge of millions -http://en.wikipedia.org ------------------------------------------------------------------------------ _______________________________________________ Mailinglist mailing list Mailinglist at ilug-cochin.org http://ilug-cochin.org/mailman/listinfo/mailinglist_ilug-cochin.org -------------- next part -------------- An HTML attachment was scrubbed... URL: /pipermail/mailinglist_ilug-cochin.org/attachments/20060927/0d872a58/attachment-0001.html
