Vulnerable scripts report from host
Posted: Thu Nov 26, 2009 5:34 am
I have a security concern regarding a warning from the company that manages my dedicated server. This may have nothing to do with CMSMS but I want to know if others have encountered this and if it might be related.
This is a clean install of CMSMS with no mods of any kind.
CMSMS V1.6.6
System: Linux
Apache 1.2.14
PHP 5.2.9
MYSQL 5.0.81
Message from hosting company follows. I did not create the tnp folder they refer to. I found the tnp folder in public_html was created by user 0 nobody on Apache.
---------------------------------------------------------
We have received an abuse report regarding your server ' server.myserver.com'. As per the report, there were so many suspicious attempt from your server via SSH.
We could see some vulnerable scripts under the account 'mydomain.com' that caused all those suspicious attempts.
========================
[/home/acctname/public_html/tnp]# ll
total 544
drwxr-xr-x 4 acctname acctname 4096 Nov 25 21:21 ./
drwxr-x--- 12 acctname nobody 4096 Nov 23 06:37 ../
-rw-r--r-- 1 acctname acctname 77 Nov 23 09:46 conf.conf
-rw-r--r-- 1 acctname acctname 276 Nov 23 07:39 jailsh.php
-rw-r--r-- 1 acctname acctname 23638 Nov 23 06:21 List.txt
-rw-r--r-- 1 acctname acctname 2266 Nov 22 13:21 scn.txt
-rw-r--r-- 1 acctname acctname 9559 Nov 23 09:26 s.txt
drwxr-xr-x 3 acctname acctname 4096 Nov 23 12:25 tmp/
drwxr-xr-x 2 acctname acctname 4096 Nov 25 18:01 unixcod/
-rw-r--r-- 1 acctname acctname 487243 Nov 23 06:54 unixco.tar.gz
[/home/acctname/public_html/tnp]#
========================
Currently we have disabled the folder ' tnp' under this account.
Also we suggest you to install CSF firewall that will be more secure and also will prevent the server from any vulnerable attempt.
This is a clean install of CMSMS with no mods of any kind.
CMSMS V1.6.6
System: Linux
Apache 1.2.14
PHP 5.2.9
MYSQL 5.0.81
Message from hosting company follows. I did not create the tnp folder they refer to. I found the tnp folder in public_html was created by user 0 nobody on Apache.
---------------------------------------------------------
We have received an abuse report regarding your server ' server.myserver.com'. As per the report, there were so many suspicious attempt from your server via SSH.
We could see some vulnerable scripts under the account 'mydomain.com' that caused all those suspicious attempts.
========================
[/home/acctname/public_html/tnp]# ll
total 544
drwxr-xr-x 4 acctname acctname 4096 Nov 25 21:21 ./
drwxr-x--- 12 acctname nobody 4096 Nov 23 06:37 ../
-rw-r--r-- 1 acctname acctname 77 Nov 23 09:46 conf.conf
-rw-r--r-- 1 acctname acctname 276 Nov 23 07:39 jailsh.php
-rw-r--r-- 1 acctname acctname 23638 Nov 23 06:21 List.txt
-rw-r--r-- 1 acctname acctname 2266 Nov 22 13:21 scn.txt
-rw-r--r-- 1 acctname acctname 9559 Nov 23 09:26 s.txt
drwxr-xr-x 3 acctname acctname 4096 Nov 23 12:25 tmp/
drwxr-xr-x 2 acctname acctname 4096 Nov 25 18:01 unixcod/
-rw-r--r-- 1 acctname acctname 487243 Nov 23 06:54 unixco.tar.gz
[/home/acctname/public_html/tnp]#
========================
Currently we have disabled the folder ' tnp' under this account.
Also we suggest you to install CSF firewall that will be more secure and also will prevent the server from any vulnerable attempt.