./check.cgi & ./hnc.cgi & ./***.cgi ???

./check.cgi & ./hnc.cgi & ./***.cgi ???

bunlar mail spam gateway proxy olarak kullanilan seyler.

abuse edilen bir php script vs ile servera yuklenip run ediliyorlar

run edildikten sonra da dosya siliniyor ve bulunmaz bir hale geliyor

serverdan bulup silmek icin en kolay yonem

#grep -r “check.cgi” /var/log/proftpd/.

olabilir

veyahut

updatedb

locate .pl diyip 2332832683276.pl diye bir dosya aramak da olabilir sonuclarda.

—————————

I think one of your domains in the server is hacked.. Can you do a grep -i hnc.cgi /var/log/messages got any results ?

if you didn’t got any results do this too..

zgrep -i hnc.cgi /var/log/messages.*.gz

also check if any hnc.cgi files is there in the server using find

cd /home; find -name “hnc.cgi” -type f

Any results ?

Somehow one of your ftp account/domain is hacked and it’s used to upload hnc.cgi or check.cgi script and they start running it… After running this script usually it will be deleted and hence you may not find this script if you use locate/find command. So the best way to check which account got hacked is to check the pattern hnc.cgi in the ftp logs..

After verifying the logs you may clearly see that it’s uploaded and removed after running that script.

yes hnc.cgi is used to send spams. If you find any patterns of hnc.cgi in /var/log/messages immediately you change the password for the account and ftp accounts..

Also just verify the files uploaded checking the logs and make sure the hacker didn’t modified your webfiles..