cback

[allstarwebs]

Hi Guys,

hope this is the right forum. In the basic installation of direct admin, is there a file supposed to be in root called cback?

There was an abuse report, and likely someone got in through an exploitable script, which I think I got rid of, but the abuse department pointed me to a file called cback.

Can I safely delete this? I opened it but it's non-sensical - it has "elf" in there like some of the DA scripts do, which is why I am asking

 

[Crusader]

http://www.directadmin.com/forum/showthread.php?t=29240

Was it in /tmp ?

It's likely a hack caused by Roundcube exploit.

 

[scsi]

cback is not supposed to be there.

 

[allstarwebs]

It's in root right now, but I think it may be there from the DC. Not sure where it was originally if it was moved. I was away, and didn't even know there was issue until I noticed the server was down.

Anyway, in tmp, there was a file - wasn't named it was simply ,. or something like it, so I deleted that, all permissions had been removed from the file in question by I'm guessing the DC.

Thing is, for the life of me, if someone put that there, I certainly cannot find the hole. Really nothing different on the server between now and three months ago, and I am the only user besides my nephew.

Weird, but it had something to do with IRC, which I don't have a clue about anyway.

Now that I know it does not belong, I'll remove it then. Thanks again!

 

[nobaloney]

User Crusader pointed out that it might have come from a Roundcube exploit.

Jeff

 

[floyd]

Really nothing different on the server between now and three months ago

Really? Nothing at all? No web server, no mail server, no directadmin; just a base operating system just sitting there?

 

[nobaloney]

Of course if he's got RoundCube installed and had no changes on the server between now and three months ago, then we know he's got a vulnerable version.

Jeff

 

[floyd]

He is the one that said he had nothing installed.