Issues with Cpanel server - Suspect hacking attempts. HELP?
its a Fedora Core 4 VM, running the latest version of cpanel, updated daily.
AMD sempron 3000
512 MB ram
2x80GB drives.
In the past 3 days, at around 3-5pm (not the same time each day)
Something happens in which the server gets super heavy activity and is unable to be used.
on day 2 i decided to leave a session running wtih 'top' running on it.
I noticed that there were 3 perl processes running fighting for 100% cpu usage.
After a bit of research into apache error_logs, i see that something downloaded some scripts from another server and was trying to compile them in tmp.
.iloveyou
.ironmaiden
.ironmaiden2
Noticed they were irc clients. All failed to compile luckily.
The problem is, when these perl processes are running i am forced to reboot the entire server to get the server alive again.
2 questions. How can i check to see how they are getting in? i originally thought it was a bad version of phpBB. so upgraded to the latest on all website accounts.
2nd question is, is there a way i can limit the amount of processor usage a process can use? to not allow perl to take 100% processor usage.
i guess a 3rd question would be, are there any new cpanel exploits out? i cant seem to find a site related to cpanel exploits which would be nice to have.
Today i decided to noexec /tmp to try to prevent compilation of scripts in /tmp, but this doesnt get around the fact that someone is able to download scripts to tmp and attempt to compile them. there is still a hole somewhere, and i cant find where
Thanks.
D.Romano
