Results 1 to 9 of 9
  1. #1

    need help tracking process down ..

    I've noticed a 0 byte file called '.ugothacked' inside /tmp owned by user (let's call him userx)

    It's a 0 byte file so i wasn't immediately concerned. I simply deleted it thinking that it may have been just some lame (failed) php/cgi hack attempt.

    However the same 0 byte file reappeared a couple times more after I deleted it manually.

    I've gone through the http logs for this user and haven't found anything suspicious although i only skimped through it.

    I grepped through userx's entire homedir search for the string 'hacked' in all his files and nothing came up ...

    So I am getting a little tired of playing this cat and mouse with whoever it is and was wondering if the more experienced folks here would have any tips as to how to trap/catch this guy in the act ie. at least find out what sort of process is writing that file and who/where/from where it was started.

    It's a RHEL 3.4 Cpanel box (latest kernel etc).

  2. #2
    Join Date
    Dec 2001
    Location
    NYC, NY
    Posts
    798
    grep testuser /etc/passwd
    Blog your life away
    http://photoblog.com

  3. #3
    Uhm ...? I don't have a 'testuser' user.

  4. #4
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    did you use the -i switch when you grepped?
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  5. #5
    Originally posted by thelinuxguy
    did you use the -i switch when you grepped?
    Yeah I did.

    What's this all about ? Am I missing something?

  6. #6
    Join Date
    Jan 2003
    Posts
    37
    i was looking through my Tmp folder and found the exact same file. it had todays date on it and said user nobody owned it.

  7. #7
    Originally posted by lifeisboost
    i was looking through my Tmp folder and found the exact same file. it had todays date on it and said user nobody owned it.
    Yours is owned by nobody, probably because you don't use phpSuexec like I do.

    In any case, if you had the same file appear on your server today, it's quite likely it's some automated worm going around trying to exploit some php or perl script.

  8. #8
    Join Date
    Jan 2003
    Posts
    37
    i looked through and found nothing else on this. my tmp is secured (hopefully). the first time i deleted it, it reappeard now it is gone all togeather.

  9. #9
    Yep looks liek something going on random.

    i did the following:

    rm -f .ugothacked
    touch .ugothacked
    chmod 000 .ugothacked
    chattr +iu .ugothacked

    Now it is my byatch!

    Now it

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •