usr/bin/php?

**Buddha** · 09-02-2005, 01:10 PM

How do I get to this directory to delete a file from it?

You don't, Andrew will take care of it. If your customer put a file there then they were ban for good reason.

**hx607** · 09-02-2005, 01:12 PM

k, thnx. Maybe I am worse off then I thought then:

The domain was suspended due to insecure scripts on the domain allowing users to download and execute illegal content directly on the server as can be seen below. We can unsuspend the domain but if it occurs again it will be suspended permanently. It is your responsibility to keep the software up-to-date.

root@cpanel19 [~]# ps aux | grep armchair
armchair 12627 0.0 0.4 12084 4372 ? S 08:49 0:00 /usr/bin/php view.php
armchair 12629 0.0 0.0 2156 968 ? S 08:49 0:00 sh -c cd /dev/shm;./tembak 202.138.230.1 6667
armchair 12630 90.0 0.0 1500 432 ? R 08:49 21:55 ./tembak 202.138.230.1 6667
armchair 13756 0.0 0.4 12088 4372 ? S 08:51 0:00 /usr/bin/php view.php
armchair 13758 0.0 0.0 2164 972 ? S 08:51 0:00 sh -c cd /dev/shm;./tembak 202.138.230.1 3006
armchair 13759 88.0 0.0 1504 432 ? R 08:51 19:20 ./tembak 202.138.230.1 3006
armchair 14537 0.0 0.4 12080 4368 ? S 08:53 0:00 /usr/bin/php view.php
armchair 14539 0.0 0.0 2156 972 ? S 08:53 0:00 sh -c cd /dev/shm;./tembak 202.138.230.1 3006
armchair 14540 87.0 0.0 1496 432 ? R 08:53 17:04 ./tembak 202.138.230.1 3006

dis-xxxx (me) - 09/02/05 @ 10:06:49 AM CDT
ok. please unsuspend and I will remedy and update whatever they have on there.
Did you remove this malicious script(s)? Is it the view.php script?

AndrewT - 09/02/05 @ 10:13:13 AM CDT
The domain has been unsuspended. view.php would be the problem script - we do not modify customer data.

I must be missing something ...

**Buddha** · 09-02-2005, 01:27 PM

Look for view.php in your customers account that would be the problem file. You can use the file manage in cPanel. Know what scripts your customer is running?

**hx607** · 09-02-2005, 01:36 PM

k, thnx for the quick replies Buddha (looking now for the file).

php-wise, they are running PNuke (Out of date - updating), PNphpBBS2 (Out of date - updating). Everything else is pretty simple javascript/HTML for their fantasy football stuff. I am going to also suggest a dir permission change to those recommended in the Script Security thread.

arrgghhh ...

**Buddha** · 09-02-2005, 01:45 PM

Sh*t happens but looks like you have it under control. It's probably a Nuke file. Updating will probably solve the problem.

Precursor: Yes, I suck, I know it. I feel like I do not know my way around LINUX/UNIX anymore since college. I blame corporate america and my mother-in-law. Redicule me at will, I deserve it (but only if you tell me how to solve my issue, k?)

Better to know some of the questions than all of the answers. Someone much smarter than me said that.

**hx607** · 09-02-2005, 01:47 PM

Aye, lad, wise speak indeed. Thank ye again.

usr/bin/php?

usr/bin/php?

Comment

Comment

Comment

Comment

Comment

Comment