hacking attempt plz help

Hello dear

Today one of my client told me that his public_html was deleted

I see the log file for this clients and I don't found delete function

But I see some one upload these files


cpaneldownacct.cgi* cpanelkill.cgi* cpanelwrap.cgi* .htaccess.1083763824
cpaneldownload.cgi* cpanelwrap.c .htaccess


in the cgi - bin

and this is the content of cpanelkill.cgi

#!/usr/bin/perl


$ENV{'QUERY_STRING'} =~ s/\n//g;
$ENV{'QUERY_STRING'} =~ s/\s//g;

my($quser,$qpass) = split(/\&/, $ENV{'QUERY_STRING'}, 2);



chomp($pwd = `pwd`);
open(PASSWD,"/etc/passwd");
while(<PASSWD>){
($name,$x,$uid,$gid,undef,$homedir,$shell) =
split(/:/,$_);
next if (length($homedir) < 3);

if ($pwd =~ /^${homedir}\// || $pwd =~ /^${homedir}$/) {
$founduid = 1;
last;
}
}
close(PASSWD);

print "Content-type: text/html\r\n\r\n";
my $homedir = (getpwuid($uid))[7];
my $user = (getpwuid($uid))[0];
print "UNLINKED\n";
unlink("/tmp/cpmove-${user}.tar.gz");
exit if ($homedir eq "/" || $homedir eq "");
system("/bin/rm","-rf","$homedir/public_html/cgi-bin/cpdownload");


any one can Help me and know more about this

 

 

 

 

Top