I received an email from anonymous...
"A worm using a phpbb vulnerability is trying to infect my system coming from IP xx...."
Well, I ran rkhunter and chkrootkit and both came back fine. Are there any others I can run to check for such a worm?
Cpanel 9.9.9 R-14
PHP v 188.8.131.52
I believe the worm is running as nobody. I did notice a high load in server status for nobody user.
User Domain %CPU %MEM Mysql Processes
nobody 95.24 14.34 0.0
Top Process %CPU 96.3 /hsphere/shared/apache/bin/httpd -DSSL
Top Process %CPU 96.2 /hsphere/shared/apache/bin/httpd -DSSL
Top Process %CPU 96.0 /hsphere/shared/apache/bin/httpd -DSSL
Linux server.myserver.com 2.4.21-4.0.1.ELsmp #1 SMP Thu Oct 23 01:27:36 EDT 2003 i686 i686 i386 GNU/Linux
Please give me a hand here.