Server hacked through cPanel?
cpsrvd failed @ Sat Nov 5 00:41:00 2005. A restart was attempted automagicly.
My cPanel is up to date with all versions of the stable software and only I have access to the WHM account as well as all accounts for the domains. I do not have customers that have any access whatsoever to my control panel. I know there is currently at least one private exploit that can compromise cPanel and I am wondering if my server has become the victim of a hacker. I ran rkhunter with the latest version and I am showing incorrect md5sums on:
/bin/dmesg
/bin/login
/bin/kill
/bin/mount
Everything else is checking out fine.
I also ran chkrootkit and it is showing:
Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! admin 27576 pts/2 /bin/bash
! admin 27583 pts/2 su -
! root 27603 pts/2 -bash
! admin 27643 pts/3 /bin/bash
! admin 27650 pts/3 su -
! root 27654 pts/3 -bash
! admin 27712 pts/4 /bin/bash
! root 5370 pts/3 ./services
! root 4573 pts/2 /bin/sh ./chkrootkit
! root 5585 pts/2 ./chkutmp
! root 5586 pts/2 ps ax -o tty,pid,ruser,args
chkutmp: nothing deleted
All of the processes listed above I am currently running so I am wondering what should I do next? Any ideas anyone? Anyone seen this happen before?
