Strange script in /tmp

[vmicovic]

Hello,

i just notice one script in tmp file "ks-script-NhuzyO" (which is root owner), which content is:

Code:

wget -O /usr/local/sbin/show-tech http://192.168.0.1/applications/show-tech
chmod +x /usr/local/sbin/show-tech

cat /etc/fstab | grep -v tmp > /etc/fstab.new
cat /etc/fstab | egrep -e '^LABEL=/tmp\s+|^tmpfs\s+|^\S+\s+/tmp' | sed 's/defaults/defaults,rw,nosuid,nodev,noexec/' >> /etc/fstab.new
mv /etc/fstab.new /etc/fstab

yum -y update
chkconfig network on
wget -O /etc/firstboot http://192.168.0.1/empty
chmod +x /etc/firstboot

cp /etc/rc.d/rc.local /etc/rc.d/rc.local.back

DEV=`grep -l /sys/class/net/*/address -e 00:22:64:34:75:fb | awk -F '/' '{print $5}'`

cat > /etc/rc.local <<MYFIRSTBOOT
#!/bin/sh
/etc/firstboot
rm /etc/firstboot
wget -O /dev/null -t 10 -T 3 --retry-connrefused http://192.168.0.1/cgi2/done.pl?audit=yes
mv /etc/rc.d/rc.local.back /etc/rc.d/rc.local

cat /etc/sysconfig/network-scripts/tmp.ifcfg-eth0 | sed 's/eth0/$DEV/' > /etc/sysconfig/network-scripts/ifcfg-$DEV
rm /etc/sysconfig/network-scripts/tmp.ifcfg-eth0
cat /etc/sysconfig/network-scripts/tmp.route6-eth0 | sed 's/eth0/$DEV/' > /etc/sysconfig/network-scripts/route6-$DEV
rm /etc/sysconfig/network-scripts/tmp.route6-eth0

reboot

MYFIRSTBOOT

wget -O /etc/sysconfig/network-scripts/tmp.ifcfg-eth0 http://192.168.0.1/ks/00-22-64-34-75-fb-net
wget -O /etc/sysconfig/network-scripts/tmp.route6-eth0 http://192.168.0.1/ks/00-22-64-34-75-fb-route6
wget -O /dev/null -t 10 -T 3 --retry-connrefused http://192.168.0.1/cgi2/done.pl?noPXE=1
%end

And log file of that script (which is also in tmp folder):

Code:

--2012-04-28 01:15:16--  http://192.168.0.1/applications/show-tech
Connecting to 192.168.0.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 85 [text/plain]
Saving to: `/usr/local/sbin/show-tech'

     0K                                                       100% 9.36M=0s

2012-04-28 01:15:16 (9.36 MB/s) - `/usr/local/sbin/show-tech' saved [85/85]

Loaded plugins: fastestmirror
Determining fastest mirrors
 * base: mirror.sov.uk.goscomb.net
 * extras: mirror.sov.uk.goscomb.net
 * updates: mirror.sov.uk.goscomb.net
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package coreutils.i386 0:5.97-34.el5_8.1 set to be updated
---> Package device-mapper-multipath.i386 0:0.4.7-48.el5_8.1 set to be updated
---> Package freetype.i386 0:2.2.1-31.el5_8.1 set to be updated
---> Package glibc.i686 0:2.5-81.el5_8.2 set to be updated
---> Package glibc-common.i386 0:2.5-81.el5_8.2 set to be updated
---> Package gnutls.i386 0:1.4.1-7.el5_8.2 set to be updated
---> Package kernel.i686 0:2.6.18-308.4.1.el5 set to be installed
---> Package kpartx.i386 0:0.4.7-48.el5_8.1 set to be updated
---> Package libgcrypt.i386 0:1.4.4-5.el5_8.2 set to be updated
---> Package libpng.i386 2:1.2.10-17.el5_8 set to be updated
---> Package libtiff.i386 0:3.8.2-14.el5_8 set to be updated
---> Package libxml2.i386 0:2.6.26-2.1.15.el5_8.2 set to be updated
---> Package nspr.i386 0:4.8.9-1.el5_8 set to be updated
---> Package nss.i386 0:3.13.1-5.el5_8 set to be updated
---> Package openssl.i686 0:0.9.8e-22.el5_8.3 set to be updated
---> Package popt.i386 0:1.10.2.3-28.el5_8 set to be updated
---> Package rpm.i386 0:4.4.2.3-28.el5_8 set to be updated
---> Package rpm-libs.i386 0:4.4.2.3-28.el5_8 set to be updated
---> Package rpm-python.i386 0:4.4.2.3-28.el5_8 set to be updated
---> Package tzdata.i386 0:2012b-3.el5 set to be updated
---> Package wget.i386 0:1.11.4-3.el5_8.1 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                    Arch    Version                    Repository  Size
================================================================================
Installing:
 kernel                     i686    2.6.18-308.4.1.el5         updates     19 M
Updating:
 coreutils                  i386    5.97-34.el5_8.1            updates    3.6 M
 device-mapper-multipath    i386    0.4.7-48.el5_8.1           updates    2.9 M
 freetype                   i386    2.2.1-31.el5_8.1           updates    312 k
 glibc                      i686    2.5-81.el5_8.2             updates    5.3 M
 glibc-common               i386    2.5-81.el5_8.2             updates     16 M
 gnutls                     i386    1.4.1-7.el5_8.2            updates    351 k
 kpartx                     i386    0.4.7-48.el5_8.1           updates    428 k
 libgcrypt                  i386    1.4.4-5.el5_8.2            updates    251 k
 libpng                     i386    2:1.2.10-17.el5_8          updates    241 k
 libtiff                    i386    3.8.2-14.el5_8             updates    308 k
 libxml2                    i386    2.6.26-2.1.15.el5_8.2      updates    797 k
 nspr                       i386    4.8.9-1.el5_8              updates    121 k
 nss                        i386    3.13.1-5.el5_8             updates    1.1 M
 openssl                    i686    0.9.8e-22.el5_8.3          updates    1.5 M
 popt                       i386    1.10.2.3-28.el5_8          updates     76 k
 rpm                        i386    4.4.2.3-28.el5_8           updates    1.2 M
 rpm-libs                   i386    4.4.2.3-28.el5_8           updates    929 k
 rpm-python                 i386    4.4.2.3-28.el5_8           updates     61 k
 tzdata                     i386    2012b-3.el5                updates    766 k
 wget                       i386    1.11.4-3.el5_8.1           updates    582 k

Transaction Summary
================================================================================
Install       1 Package(s)
Upgrade      20 Package(s)

Total download size: 56 M

etc.

and at the end new date:

Code:

--2012-04-28 01:17:00--  http://192.168.0.1/empty
Connecting to 192.168.0.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10 [text/plain]
Saving to: `/etc/firstboot'

     0K                                                       100% 1.14M=0s

2012-04-28 01:17:00 (1.14 MB/s) - `/etc/firstboot' saved [10/10]

--2012-04-28 01:17:00--  http://192.168.0.1/ks/00-22-64-34-75-fb-net
Connecting to 192.168.0.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 315 [text/plain]
Saving to: `/etc/sysconfig/network-scripts/tmp.ifcfg-eth0'

     0K                                                       100% 35.8M=0s

2012-04-28 01:17:00 (35.8 MB/s) - `/etc/sysconfig/network-scripts/tmp.ifcfg-eth0' saved [315/315]

--2012-04-28 01:17:00--  http://192.168.0.1/ks/00-22-64-34-75-fb-route6
Connecting to 192.168.0.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 105 [text/plain]
Saving to: `/etc/sysconfig/network-scripts/tmp.route6-eth0'

     0K                                                       100% 15.6M=0s

2012-04-28 01:17:00 (15.6 MB/s) - `/etc/sysconfig/network-scripts/tmp.route6-eth0' saved [105/105]

--2012-04-28 01:17:00--  http://192.168.0.1/cgi2/done.pl?noPXE=1
Connecting to 192.168.0.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/plain]
Saving to: `/dev/null'

     0K                                                         608K=0s

2012-04-28 01:17:01 (608 KB/s) - `/dev/null' saved [4]

/tmp/ks-script-NhuzyO: line 36: fg: no job control

Is this script of WHM or something else?
p.s: i don`t have network 192.168.x.x

Thank you.

[cPanelTristan]

What does /etc/firstboot file show? This isn't a WHM script, but given it's doing things for IPv6 IP addresses, it might have been done by your datacenter, NOC or provider when they setup the machine.

Of note, ks-script typically refers to kickstart script for setting up a machine on first boot.

[vmicovic]

i don`t have firstboot in etc, i have in /etc/syconfig and contain:

RUN_FIRSTBOOT=NO

I will contact DC, thank you for your help.


Br.