/ftp_scanner on the WHM server, what is it?
Hello,
while doing "top -c" command i found processes like these:
[QUOTE]438641 root 19 0 97.9m 908 488 R 3.6 0.0 114:05.52 ./ftp_scanner -h .5.0.0 16 -u users -p pass -t 6 -c 20 -o log -d -k -C
438614 root 25 0 129m 944 488 R 3.3 0.0 113:58.00 ./ftp_scanner -h .1.0.0 16 -u users -p pass -t 6 -c 20 -o log -d -k -C
438617 root 21 0 113m 932 488 R 3.3 0.0 114:01.40 ./ftp_scanner -h .2.0.0 16 -u users -p pass -t 6 -c 20 -o log -d -k -C
438618 root 25 0 59256 868 488 R 3.3 0.0 113:47.55 ./ftp_scanner -h .3.0.0 16 -u users -p pass -t 6 -c 20 -o log -d -k -C
438634 root 25 0 105m 916 488 R 3.3 0.0 113:59.92 ./ftp_scanner -h .4.0.0 16 -u users -p pass -t 6 -c 20 -o log -d -k -C
438647 root 22 0 92024 900 488 R 3.3 0.0 113:59.00 ./ftp_scanner -h .6.0.0 16 -u users -p pass -t 6 -c 20 -o log -d -k -C
438652 root 25 0 75640 888 488 R 3.3 0.0 113:53.63 ./ftp_scanner -h .7.0.0 16 -u users -p pass -t 6 -c 20 -o log -d -k -C
438655 root 25 0 67448 880 488 R 3.3 0.0 113:40.89 ./ftp_scanner -h .8.0.0 16 -u users -p pass -t 6 -c 20 -o log -d -k -C
438658 root 25 0 59256 872 488 R 3.3 0.0 113:40.53 ./ftp_scanner -h .9.0.0 16 -u users -p pass -t 6 -c 20 -o log -d -k -C
440352 root 25 0 26488 824 476 R 3.3 0.0 110:12.91 ./ftp_scanner -h 78.23.0.0 16 -u users -p pass -t 6 -c 20 -o log -d -k -C
please what does it do and why its there, which commands i should do to discover more? when i cat that file located in /root/fb i see amongs others: [QUOTE] -u Users file -p Password file -o Output file -v Verbose mode -C Check RMDIR command -h Host/s to scan (ex 192.168.0.0/24) -t Timeout in seconds (default 5) -c Number of thread (default 20) -b Store banner in output file -d Stop bruteforce after a valid user -s Store strange ftp reply in output file -k Check SSH and Telnet on host with a valid user Multi-thread FTP scanner v0.2.5 by Inode
please what does it do and why its there, which commands i should do to discover more? when i cat that file located in /root/fb i see amongs others: [QUOTE] -u Users file -p Password file -o Output file -v Verbose mode -C Check RMDIR command -h Host/s to scan (ex 192.168.0.0/24) -t Timeout in seconds (default 5) -c Number of thread (default 20) -b Store banner in output file -d Stop bruteforce after a valid user -s Store strange ftp reply in output file -k Check SSH and Telnet on host with a valid user Multi-thread FTP scanner v0.2.5 by Inode
-
I think your server has been hacked and is being used to scan for other compromised servers. that file is looking for default users on the FTP servers it's listing. It's running as root, so the hacker has got you quite hard. You'll need to run a rootkit scanner on your server, and maybe block outbound FTP connections. You'll also probably need to check your logs to she when this started, so you can figure out which one of your users has been compromised, and let them know. You got some work ahead of you!! 0 -
Hello :) I've moved this thread to the "Security" forum. You may receive more user-feedback here. Thank you. 0
Please sign in to leave a comment.
Comments
2 comments