I am reselling with a company called varhosting. One of my accounts is throwing some errors to the server. They cant help me and im at a lose. they say a script is running called udp.pl. as far as i know this file is not located on the server at all. All the scripts running are php. here are the errors the datacenter is sending them
12277 flateart Ê25 Ê 0 Ê1688 1688 Ê1184 R Ê Ê 6.0 Ê0.0 Ê 1:23 Ê 3 perl udp.pl 200.101.44.239 0 999

9484 flateart Ê25 Ê 0 Ê1688 1688 Ê1184 R Ê Ê 4.7 Ê0.0 Ê 2:53 Ê 2 perl udp.pl 201.25.66.225 0 999

9475 flateart Ê21 Ê 0 Ê4260 4260 Ê2808 S Ê Ê 0.0 Ê0.2 Ê 0:00 Ê 1 /usr/bin/php

9483 flateart Ê21 Ê 0 Ê 976 Ê976 Ê 856 S Ê Ê 0.0 Ê0.0 Ê 0:00 Ê 1 sh -c cd /tmp;perl udp.pl 201.25.66.225 0 999 1> /tmp/phpshellvQaoIh 2>&1; cat /tmp/phpshe

9486 flateart Ê25 Ê 0 Ê 964 Ê964 Ê 852 S Ê Ê 0.0 Ê0.0 Ê 0:00 Ê 0 sh -c (sleep 999;killall -9 udp) &

9487 flateart Ê25 Ê 0 Ê 512 Ê512 Ê 436 S Ê Ê 0.0 Ê0.0 Ê 0:00 Ê 0 sleep 999

12273 flateart Ê21 Ê 0 Ê4260 4260 Ê2808 S Ê Ê 0.0 Ê0.2 Ê 0:00 Ê 1 /usr/bin/php

12276 flateart Ê21 Ê 0 Ê 976 Ê976 Ê 856 S Ê Ê 0.0 Ê0.0 Ê 0:00 Ê 0 sh -c cd /tmp;perl udp.pl 200.101.44.239 0 999 1> /tmp/phpshell3tgO7A 2>&1; cat /tmp/phpsh

12279 flateart Ê24 Ê 0 Ê 968 Ê968 Ê 852 S Ê Ê 0.0 Ê0.0 Ê 0:00 Ê 0 sh -c (sleep 999;killall -9 udp) &

12280 flateart Ê24 Ê 0 Ê 512 Ê512 Ê 436 S Ê Ê 0.0 Ê0.0 Ê 0:00 Ê 1 sleep 999





root@node106 [/tmp]# ls -la | grep flateart

---------- Ê Ê1 flateart flateart Ê Ê11269 Jul 16 Ê2004 bd.pl

---------- Ê Ê1 flateart flateart Ê Ê 1089 Feb 26 Ê2001 udp.pl



Please someone help me with this. they said the account will be suspended indefinatly. please let me know if you need more information.
thanks
Todd

Is that something to do with Perl?

I'm on server 106 too. But mine's an on and off PHP - SQL problem. Maybe, just maybe, they are installing the new suPHP stuffs. They must be busy debugging it as well... I saw that on their forum....

But node106 is really a problematic server...

i dont have any perl on the site. i dont know it. I thought i may have isolated it to an old sql script. but they told me that suphp is not related to my problem. what changes have you made to correct the problem, if you have correctede any problems

It looks like the account has been hacked and a DDOS bot installed, probably via an unsecure PHPBB or PHPNuke install. I would say it is their problem as its probably something in /tmp

Rus

I noticed that zen-cart was still partialy installed. could this have been an gateway for hackers. they say this is my fault and are going to suspend me for good. Should i be fighting the issue or looking for a problem.
Thanks for the quick responses by the way.

Originally posted by elygen
i dont have any perl on the site. i dont know it. I thought i may have isolated it to an old sql script. but they told me that suphp is not related to my problem. what changes have you made to correct the problem, if you have correctede any problems

No. The problem hasn't been resolved... I even got problem in login in AccountLab...

Im using clientexec. that seems to be working well.