Surpass Web Hosting Forums - View Single Post - Website Hacked - TICKET GNQ-927258 & #PVE-610193

hayesb2 · January 11th, 2007, 8:17 AM

I just wanted to update that support has sent me an email with an explanation of where the attack possibly occured..so thank you for that support.

If anyone else has any general suggestions where I can go for help on how one goes about tracking down and fixing something like this I'm all ears. All I know to do at this point is open the cpanel raw access logs, look for something suspicious, and block the IP.

Also, what is weird is the user 'turnkey' is suspended, yet the 'top' command in SSH is showing that user still executing a perl command. How can the user be executing something when the acct is suspended? Again, I'm not a server guy, can anyone point me in a direction where I can go to find out exactly where this perl script is executing under the turnkey user? So I can delete the perl script...

Thanks.

January 11th, 2007, 8:17 AM	#2 (permalink)
hayesb2 Registered User Fresh Surpasser Joined in Jan 2006 20 posts Gave thanks: 0 Thanked 0 times	I just wanted to update that support has sent me an email with an explanation of where the attack possibly occured..so thank you for that support. If anyone else has any general suggestions where I can go for help on how one goes about tracking down and fixing something like this I'm all ears. All I know to do at this point is open the cpanel raw access logs, look for something suspicious, and block the IP. Also, what is weird is the user 'turnkey' is suspended, yet the 'top' command in SSH is showing that user still executing a perl command. How can the user be executing something when the acct is suspended? Again, I'm not a server guy, can anyone point me in a direction where I can go to find out exactly where this perl script is executing under the turnkey user? So I can delete the perl script... Thanks.