Folder without a name in root.

[romand700]

Hello,
are some days that in the root of my server there is a folder without a name. I think it is fail2ban to create this folder? Only I have access to the server.

Any idea?

Regards,

 

[UFHH01]

Hi romand700,

I think it is fail2ban to create this folder?

Fail2Ban does NOT create folders or files outside of its folder(s) - I wonder what's make you think, that it does.

Rename suspicious folder(s) to something like ".to-investigate" and investigate the possible files and folders ( permissions ?!? ). Have as well a look at your log - files for possible issues/errors after renaming the folder(s) and make as well a rootkit - check. Delete the folder(s) if your investigations lead nowhere.

 

[romand700]

Hi romand700,



Fail2Ban does NOT create folders or files outside of its folder(s) - I wonder what's make you think, that it does.

Rename suspicious folder(s) to something like ".to-investigate" and investigate the possible files and folders ( permissions ?!? ). Have as well a look at your log - files for possible issues/errors after renaming the folder(s) and make as well a rootkit - check. Delete the folder(s) if your investigations lead nowhere.

Hello UFHH01,
3 days ago I deleted the folder.. Inside was a script with some files and millions of IP which generated many GB of traffic from port 5901.. After 3 days this untitled folder It has been recreated. The root access I have just me and changed my password.. Who creates this folder?

Any idea?

Regards,

 

[UFHH01]

Hi romand700,

I have absolutely no clue, WHO or WHAT created the folder, but it sounds suspicious and I still recommend to investigate it with a rootkit checker ( en.wikipedia.org/wiki/Rootkit ) - ( "watchdog" = "rkhunter" is part of Plesk... please use it ). And please inform yourself as well about other possible ways how to secure your server ( one example is: http://kb.odin.com/en/114620 , but there are far more tutorials, documentations and suggestions for server administrators all over the internet ).

 

[romand700]

Hello UFHH01,
thanks for your support..

regards,

 

[romand700]

Hi romand700,

I have absolutely no clue, WHO or WHAT created the folder, but it sounds suspicious and I still recommend to investigate it with a rootkit checker ( en.wikipedia.org/wiki/Rootkit ) - ( "watchdog" = "rkhunter" is part of Plesk... please use it ). And please inform yourself as well about other possible ways how to secure your server ( one example is: http://kb.odin.com/en/114620 , but there are far more tutorials, documentations and suggestions for server administrators all over the internet ).

Hello UFHH01,
last night and this morning I received notification of Apache CPU usage. In notification of this night It seems that the problem is fail2ban? You see some other problem? I'm sorry but I can not decipher the notification.

I attached the files.. Please see..

Regards,

 

[UFHH01]

Hi romand700,

your files do point to an actual high memory usage, which is an absolute normal behaviour. I don't see, what the temporary high memory usage should point to, if you have a suspicious folder ???

 

[romand700]

Hello UFHH01,
No, I no see suspect folder.. (

Thanks for your support

Regards,

 

[romand700]

Hello UFHH01,
I investigate the folder suspect.. In the server I found the script "pscan2".. I delete this but after 2 day It has been recreated.. I try I tried to change password and when i run this command:

php -d open_basedir= -d safe_mode=0 plesk_password_changer.php `cat /etc/psa/.psa.shadow` --clean-up-sessions

but I have this error:
Could not open input file: plesk_password_changer.php

regards,

 

[UFHH01]

php -d open_basedir= -d safe_mode=0 plesk_password_changer.php `cat /etc/psa/.psa.shadow` --clean-up-sessions

but I have this error:
Could not open input file: plesk_password_changer.php

Please read the WHOLE KB - article, to solve your issue with the Plesk Password Reset Script, please: Plesk Mass Password Reset Script ( KB - article 113 391 )

**Note**: The `exec` function of PHP has to be enabled, so during `plesk_password_changer.php` execution, comment the following line in `php.ini`:

    disable_functions = 'apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, ... , mysql_pconnect'

For your "pscan2" - issue, please have a look at the link: "http://www.linuxquestions.org/quest...ver-infected-with-scanssh-pscan2-sshf-823263/" and search with Google for other suggestions and recommendations, please ( use the keyword "pscan2" - yes... with quotes, please! ).
You should consider to ask/order for some server administration support, because a compromised server can be tricky, if you are unexperienced.

 

[romand700]

For your "pscan2" - issue, please have a look at the link: "http://www.linuxquestions.org/quest...ver-infected-with-scanssh-pscan2-sshf-823263/" and search with Google for other suggestions and recommendations, please ( use the keyword "pscan2" - yes... with quotes, please! ).
You should consider to ask/order for some server administration support, because a compromised server can be tricky, if you are unexperienced.

Hello UFHH01,
Unfortunately I not know anyone server administrator trusty .. I'm in difficulty because can not seem to eradicate this script pscan2. If you can help me, and you know a server administrator please contact me in private.

Regards,

 

[Micha]

Hi,

There is a space at the beginning of a path specification of a script.
Look inside the Directory an you will find, with sricpt. I you think its fail2ban, than look at the Config....