Lfd: System Exploit Checking Detected A Possible Compromise
Apr 29, 2008
I always recieve this email: from lfd
Time: Tue Apr 29 03:40:13 2008
Possible detection of "Random JS Toolkit"
Failed to create test directory /etc/csf/1: No space left on device:
See [url] for more information
I do this to test if my server is infected:
mkdir /home/1
it created without any problems
and I used tcpdump and I got this:
<script type="text/javascript" src='jscripts/ips_ipsclass.js'></script>
<script type="text/javascript" src='jscripts/ipb_global.js'></script>
<script type="text/javascript" src='cache/lang_cache/en/lang_javascript.js'></script>
<script type="text/javascript" src='jscripts/ips_xmlhttprequest.js'></script>
<script type="text/javascript" src='jscripts/ipb_global_xmlenhanced.js'></script>
is that mean the server is infected? but these scripts are for the IPB forum board so why I still recieve this email?
View 10 Replies
ADVERTISEMENT
Oct 22, 2009
i update the cpanel and after that lfd fails all the time
ct 22 11:53:21 *** lfd[1653]: *System Exploit* has detected a possible "Random JS Toolkit" - Failed to create test directory /etc/csf/1: Disk quota exceeded
Oct 22 11:53:21 *** lfd[1653]: Error: Cannot open out file: Disk quota exceeded, at line 3780
Oct 22 11:53:21 *** lfd[1653]: daemon stopped
Oct 22 11:53:26 *** lfd[30079]: Error: pid mismatch or missing, at line 589
Oct 22 11:53:26 *** lfd[30079]: daemon stopped
Which can be the issue you think ?
Ip tables in my case all of them they are correct
Even if i restart the virtual its working properly for a while and after that fails
View 9 Replies
View Related
Sep 19, 2012
I do not know how this happened though. When I use find command on shell, I got the following error.
find: File system loop detected; `/var/named/chroot/var/named' is part of the same file system loop as `/var/named'.
It is minimal CentOS6.3 install with plesk 11.
View 15 Replies
View Related
Jun 28, 2015
in CENTOS 6.6 / PLESK 12 when I use the find command I get this notice:find: File system loop detected; "/var/named/chroot/var/named" is part of the same file system loop as "/var/named".
View 2 Replies
View Related
Jun 14, 2007
I'm thinking to implement a solution for our VOIP system so that automatic calls should be done several times a day and to check that someone is responding or that it's ringing.
We are using AsteriskWin32 for now and for our needs it's working great.
View 0 Replies
View Related
Jun 2, 2008
I suspect that the internet service provider I'm using is compromising my privacy. If someone who works in the ISP company decides to check up on their customers...
1) Is it possible for them to track which websites the customer has been to?
2) If they wanted to, can they gain access to the things that the customer types, like email passwords, or even email content?
--------------
Reason why I posted this is below:
I live in a country where personal privacy isn't all that respected. Recently, I've encountered a problem. It seems that some people are aware of some info that I post in the web. Now, I posted those info under an anonymous ID, and didn't tell anyone about it at all, and no one else uses my computer. So, how did it get leaked? It's most likely not malware (keyloggers, trojans etc.) because I'm very careful in that aspect.
View 7 Replies
View Related
Aug 3, 2007
i have an site on my server when i open it the kaspersky anti viruss detect there is an trojan in this site .. ( see the picture in the attachment )
and i checked the server from the whm and there is result 15 POSSIBLE Trojans Detected
How i can solve this ?? and remove this trojans .
View 14 Replies
View Related
Nov 27, 2007
We recently setup a server with 4 gigs of RAM and installed Fedora core 7 32-bit version in it. After installing the OS, I have found that Fedora is able to detect only 2 GB and not 4 GB of RAM. I installed the kernel-PAE and kernel-PAE-devel modules and restart the server and made sure that the the OS with the PAE switch starts at boot time. However, the OS still does not detect the 4 GB RAM. Any idea what else can be done apart from installing the 64-bit OS in the system?
View 14 Replies
View Related
Dec 9, 2007
Just installed fresh centos 5 / cpanel and now I get this:
No filesystems with quota detected.
[root@server scripts]# quotacheck -avugm
quotacheck: Can't find filesystem to check or filesystem not mounted with quota option.
Code:
[root@server scripts]# /scripts/initquotas
Quotas are now on
Updating Quota Files......
quotacheck: Can't find filesystem to check or filesystem not mounted with quota option.
quotacheck: Can't find filesystem to check or filesystem not mounted with quota option.
....Done
How do I fix this?
Code:
LABEL=/1 / ext3 defaults,usrquota 1 1
LABEL=/boot1 /boot ext3 defaults 1 2
devpts /dev/pts devpts gid=5,mode=620 0 0
tmpfs /dev/shm tmpfs defaults 0 0
proc /proc proc defaults 0 0
sysfs /sys sysfs defaults 0 0
LABEL=SWAP-sda2 swap swap defaults 0 0
View 1 Replies
View Related
Jun 15, 2007
I am using Windows 2003 Enterprise Edition SP1 and i have recently set the computer up to 4GB RAM. I notice a problem occur error :
When I start the computer, Bios detected all 4GB Ram. However, i have checked Total physical memory in General (My Computer-> Properties) doesnot detect all 4GB Ram. it only detect 3GB Ram.
I have checked that this OS support up to 32GB . Why it doesn't detect all 4GB ?
What happen to it?
Mainboard : Intel chipset 915GL
I did following the instruction in internet (exactly is Microsoft) is /PAE in boot.ini file. But, it doesnt work.
View 8 Replies
View Related
Jun 23, 2007
I read about a new exploit that imbeds PHP code in a GIF file:
[url]
How would that work exactly? Wouldn't a server have to be set up specifically to parse PHP code in gif files? Who would set up their server that way? Is there a way around that so you can remotely trick the server into parsing gif files as PHP code?
View 3 Replies
View Related
Sep 11, 2007
check this out [url]
That could do some damage, all someone would have to do is get shell on a site or be able to see config.php and then connect with that database and mass deface the server or put shells on other sites.
Anyone know of any way to prevent this?
View 14 Replies
View Related
Nov 25, 2007
Just discovered a php exploit on a client's domain.
Found this in the access_log
[url]
=
[url]
Take a look at rmod.txt
[url]
then found this in a conf.txt in the /pearus/.bash folder
Quote:
statefile Infodll.state
connectionmethod direct
server animefox.no-ip.biz 6666
server animefox.no-ip.biz 6667
server animefox.no-ip.biz 6668
server animefox.no-ip.biz 6669
server animefox.no-ip.biz 7000
server animefox2.no-ip.biz 6666
server animefox2.no-ip.biz 6667
server animefox2.no-ip.biz 6668
server animefox2.no-ip.biz 6669
server animefox2.no-ip.biz 7000
server animefox.no-ip.biz 6666
server animefox.no-ip.biz 6667
server animefox.no-ip.biz 6668
server animefox.no-ip.biz 6669
server animefox.no-ip.biz 7000
server animefox2.no-ip.biz 32000
server animefox2.no-ip.biz 40000
server animefox2.no-ip.biz 42000
server animefox2.no-ip.biz 44000
server animefox2.no-ip.biz 48000
channel ###Snake###
channel #PoIsOn_MuSiC
adminpass f2oL8zmnIG/CA
user_nick PoIsOn|MuSiC|030
#local_vhost 123.456.789.123
#tcprangestart 4000
#usenatip 123.456.789.123
user_realname ...::::9PoIsOn CrEw::::...
user_modes +ix
loginname r0x
slotsmax 10
queuesize 30
maxtransfersperperson 1
maxqueueditemsperperson 2
restrictlist yes
restrictprivlist no
restrictsend yes
restrictprivlistmsg Per la lista [url]
respondtochannelxdcc no
respondtochannellist no
headline 9,2 ..::4T11h0e 13B9e11S7t 4C11h9a8n7n8e7L 11O4f 11T7h4e 8W13o8r9l7D11::..
creditline 9,2 ..::4T11h0e 13B9e11S7t 4C11h9a8n7n8e7L 11O4f 11T7h4e 8W13o8r9l7D11::..
adminhost *!*@PoIsOn.CrEw
adminhost SilverFox!*@*.*
uploadhost *!*@PoIsOn.CrEw
uploadhost *!*@P.o.I.s.O.n
downloadhost *!*@*.*
hideos yes
filedir /home/httpd/vhosts/domain.com/httpdocs/pearus/.bash
uploaddir /home/httpd/vhosts/domain.com/httpdocs/pearus/.bash
#
contents of the .bash folder:
Quote:
-rw-r--r-- 1 apache apache 1729 Nov 23 11:44 conf.txt
-rwxr-xr-x 1 apache apache 214350 Nov 5 06:01 httpd
-rwxr-xr-x 1 apache apache 214382 Nov 5 06:01 httpd_chroot
-rw-r--r-- 1 apache apache 268 Nov 25 13:25 Infodll.state
-rw-r--r-- 1 apache apache 268 Nov 25 13:23 Infodll.state~
-rw-r--r-- 1 apache apache 268 Nov 19 06:12 mybot.state
-rw-r--r-- 1 apache apache 268 Nov 19 06:09 mybot.state~
-rw-r--r-- 1 apache apache 604160 Sep 23 09:07 Poi.tar
-rwxrwxrwx 1 apache apache 41 Nov 25 10:52 restart
Still trying to dig in some more to figure out how they were able to exploit
here's the first few lines of their blog.php
Quote:
<?php
session_cache_limiter('none');
session_start();
ob_start();
?>
<?php include_once("oneadmin/config.php");
include_once($path["docroot"]."common/session.php"); ?>
View 9 Replies
View Related
Nov 29, 2007
several of our dedicated servers got hacked,(NOT rooted), but many of sites on each server got hacked.
after tracing the hacking process, we found that the hacker only put a "perl" file contain:
++++++++++cut here+++++++++
symlink("/link/to/victim/configs","/link/to/local/hacker/site");
+++++++++++cut here++++++++++++
and then we found many links of victim config files on the local hacker site!
all servers runing with:
-php 4.4.7
-centos 4.5
-cpanel
i tried to do the same way by a normal user, but i get the "Permission denied" error and i can not read the linked files!
so how can i prevent the function "symlink" from executing using perl?
is there any new exploit in php/perl?
View 8 Replies
View Related
Nov 24, 2007
My provider sent me an abuse ticket with the message below. This is a cPanel server with 300 domains. How do I go about tracking down the problem? They can’t give me anymore information and I don’t know where else to look.
This ticket was automatically generated by the XXXXXXXXXXXXXX Network Protection System. An unusual amount of traffic has been detected involving your IP address xx.xx.xx.xx.
Details of the event follow:
3885: HTTP: PHP File Include Exploit
This filter detects an attempt to post the contents of an external script to a PHP application. This behavior is typical of a PHP file include vulnerability attack. This attack could allow an attacker to insert custom code into a variable that would be executed by all users of the vulnerable application.
View 6 Replies
View Related
Sep 4, 2007
I got email notice about this:
Quote:
The following warning/error was logged by the smartd daemon:
Device: /dev/sdb, 1 Currently unreadable (pending) sectors
For details see host's SYSLOG (default: /var/log/messages).
Quote:
The following warning/error was logged by the smartd daemon:
Device: /dev/sdb, 1 Offline uncorrectable sectors
For details see host's SYSLOG (default: /var/log/messages).
It causes server crash and down.
View 3 Replies
View Related
Feb 8, 2008
I'm just working with my first dedicated server and also in the process of coding a new site. Anyway, I've gotten around to emailing users from scripts on my site (Java Servlet). Using Sendmail as the server (with default config) the emails are detected as spam by pretty much everything.
I'm looking for a complete list of things which need to be done to ensure an email isn't detected incorrectly as spam. I've read through various sites etc but haven't found a definitive list of things which should be done. I'm sure this would be helpful for other forum visitors too.
I'm NOT trying to send spam or anything like that but I haven't set up a dedicated server before.
View 9 Replies
View Related
Aug 27, 2007
I am using Merak Mail server 8.0.3 (Windows). From past 2 - 3 days many of my users are complaining their genuine mails are going to spam. The value set for antispam is 5 i.e. if antispam value is above it is detected as spam else not spam.
But from past few days which ever genuine mail is detected as spam I have found an very uncommon thing in it. It shows '10.4 FH_HAS_X Has X: header'
The SpamAssassin table shows the following information:
Content analysis details: (16.34 points, 5.00 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.1 HTML_MESSAGE HTML included in message
0.1 HTML_TAG_EXISTS_TBODY HTML has "tbody" tag
2.2 DEAR_SOMETHING Contains 'Dear (something)'
2.4 BAYES_80 Bayesian spam probability is 80 to 90%
0.0 NO_RDNS2 Sending MTA has no reverse DNS
10.4 FH_HAS_X Has X: header
1.1 SARE_HEAD_MIME_INVALID SARE_HEAD_MIME_INVALID Invalid mime version
0.1 SARE_HEAD_HDR_XMS SARE_HEAD_HDR_XMS Message headers used whic
View 4 Replies
View Related
Aug 11, 2007
in one of my CentOS 64bit, there is errors with NICs
NETDEV WATCHDOG: eth0: transmit timed out
e1000: eth0: e1000_watchdog_task: NIC Link is Up 100 Mbps Full Duplex
e1000: eth0: e1000_watchdog_task: 10/100 speed: disabling TSO
e1000: eth0: e1000_clean_tx_irq: Detected Tx Unit Hang
Tx Queue <0>
TDH <59>
TDT <5c>
next_to_use <5c>
next_to_clean <58>
buffer_info[next_to_clean]
time_stamp <1241628eb>
next_to_watch <59>
jiffies <124162eba>
next_to_watch.status <0>
e1000: eth0: e1000_clean_tx_irq: Detected Tx Unit Hang
Tx Queue <0>
TDH <59>
TDT <5c>
next_to_use <5c>
next_to_clean <58>
buffer_info[next_to_clean]
time_stamp <1241628eb>
next_to_watch <59>
jiffies <12416368a>
next_to_watch.status <0>
Is there any idea for fixing? It's SM PDSMI+ board. Kernel 2.6.9-55.0.2.ELsmp #1 SMP Tue Jun 26 14:14:47 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux
View 1 Replies
View Related
Nov 6, 2009
CSF install the new version, I warned that the option Check for cxs. I had a few questions!
1 - is it free? And can be installed and will work?
2 - I like these things are additional to the installation?
3 - a bit about this new possibility to explain how to solve the case to get out of the red.
View 14 Replies
View Related
Jun 28, 2008
How Can i translate An Kernel Exploit to secure my server like that
[url]
how can i now what i do to my server if i see any exploit
View 4 Replies
View Related
Jan 2, 2008
Has anyone has to deal with a recent exploit of TikiWiki (comes as one of the available Fantastico scripts)? I found my server had been compromised quite by accident. I was Googleing my domain just to see what came up and found a bunch of pages with links to Porn sites that were in some sub directories in my TikiWiki install. This article discusses:
[url]
Just wondering if anyone here has had to deal with this and if there in anything else I should do that is not discussed in thie article?
View 0 Replies
View Related
Jun 10, 2008
have found open servers and are trying to execute:
Site: MYSite (mydomain.com)
Error Code: 404 Missing URL ()
Occurred: Tue Jun 10 17:57:20 MDT 2008
Requested URL: //mypanel/clientarea.php?action=[url]
User Address: 67.15.183.164
User Agent: libwww-perl/5.805
Referer:
"Alartist" seems to be an Arabic site while the IP seems to be hosted by the Planet.
Anyone else seeing these?
View 5 Replies
View Related
Feb 14, 2007
I have been having trouble with my server lately sending out a lot of emails and I thought I had tracked it down to people taking advantage of some mailing lists which I took care of.
What I ran into today is I have a business where I send out emails using a php script in our shopping cart. Well I got a lot of failure emails back that caught my attention. They have about 200 random email listings that are not in my database saying why they can't be delivered and then a copy of the actual newsletter that I just sent today.
So is it possible that some where something is injecting this BCC field into the php mail()? If so, is there something that I can do to find this script?
Box is set to poplock 20min, smtp auth on, firewall has been up for years, chkrootkit is clean.
View 11 Replies
View Related
Mar 30, 2007
I've been checking my logs and I'm seeing a TON of referers like...
Quote:
Originally Posted by Logs
[url]
Is this some kind of new Cpanel exploit?
View 7 Replies
View Related
May 6, 2007
I think i have a security problem about my server. I have centos4.4 2gb ram of server. Plesk 8.1 control panel
It is a dedicated server. Http crashed and when i want to restart apache it give address already in use error. Then while i was googling for solution for this, i found a solution and check which service is using that port and i saw r0nin there
I dont know if it is an exploit or how it infected and how to solve. I attached a screenshot below.
I will be glad if you can give me some more information about it. Also i am using apf as firewall on my server
View 14 Replies
View Related
Jan 8, 2008
I have 2 reseller accounts with one provider, and in the last several days I have noticed that when you visit the site for the first time, my AV software detects a trojan on the site, but the code & html files are 100% clean!
I'm suspecting that there is something being injected into the scripts from the server daemons that's either running or something else.
Anyone have any suggestions?
View 14 Replies
View Related
Apr 12, 2009
tell me about leaseweb for Webhosting Service not Detected servers?
And i want ask if they allowed Warez linking?
View 7 Replies
View Related
Feb 1, 2008
I installed 2 SATA raptors drives on my server. I formatted/partitioned one of the drives through WHM. After rebooting both drives disappeared. They are still detected within the BIOS but not in CentOS. It is possible that I installed a wrong driver or made a bad configuration change.
Server Info:
CentOS 4.6 64bit
cPanel/WHM
Motherboard: [url]OS is running on a 250GB IDE drive
2 SATA WD Raptors (That I am trying to get to work)
View 14 Replies
View Related