thousands of files in tmp

**naguib2000** · 12-05-2005 04:03 PM

i find thousands of files in /tmp

they all begin with the letter cdk

for example
dkzUZXNX cdkzuZxrZ cdkZuZYgy cdkZUZz75 cdkzv02Me cdkzv0CWC cdkzv0EOI cdkzv0I36 cdkZv0jEm cdkzV0Kck cdkZV0pvt cdkzv1BtA cdkZv1C7Z cdkZV1HzJ cdkzV1YZw cdkZV29a8 cdkZV2E8X cdkZv2Ich cdkZV2qKu cdkZv39JA cdkzV4NxX cdkzv4OFY cdkzv4Wwe cdkZV4z2y cdkzv59YM cdkzv5qX3 cdkzv62xA cdkzV664g cdkZV6jI3 cdkzV6KpO cdkZV738g cdkzV7TAH cdkZV81gf cdkZv8F8Y cdkzV8HUY cdkZV8OE7 cdkZV97QU cdkzV9ghF cdkZV9t5c cdkZVAa2T cdkzVACKz cdkZVAEeq cdkzVAiOA cdkZVAlf9 cdkZvalKX cdkZVb06v cdkZvB3E5 cdkzvB4ff cdkzVbFrP cdkzVbIES cdkzVbmd6 cdkZVBU4Y cdkZvBukd cdkzvBw9n cdkZvBy8Z cdkzvBzmr cdkZvc2ZW cdkZVC5Es cdkzVC9oV cdkzvCemY cdkZvcH08 cdkZVcirT cdkZvcmFo cdkZVCmPN cdkZVCr9m cdkzvCZbb cdkzVDa2g cdkzVDcDL cdkZVDiJo cdkZVdlsj cdkzVDlXb cdkzVDrb1 cdkzvdten cdkzvDVEZ cdkZVe1SH cdkzVECb7 cdkzvEjRb cdkzvELMh cdkzvEo6U cdkzVEp1l cdkzvESSe cdkzvET6b cdkzvEZfa cdkzVF0JP cdkzvF46J cdkzvFa4K cdkZVfD01 cdkZvffLV cdkzVftvU cdkZVfvzD cdkZvFwbN cdkzvG1UI cdkZvg3Jf cdkZVGcw7 cdkzVGDfy cdkZVghrC cdkzvGjPu cdkzVGK77 cdkzVgMt5 cdkzvgnfI cdkzVH1re cdkZVhEVQ cdkzVHFrt cdkzVhwC6 cdkzvI7oA cdkzvidCC cdkzviJ7Q cdkZviJqm cdkZvIm8N cdkZvIUUY cdkzviVDF cdkZvj1mV cdkzVjDcc cdkzVjeic cdkzvJJYc cdkZVk8SZ cdkzvkdsq cdkzVKhXL cdkzvKiPM cdkzVKNI7 cdkZvKsg9 cdkzVKyfr cdkZVlC9X cdkZvLKuv cdkZVlPUt cdkzVLs9f cdkzvLtZf cdkz

--------------------------------------------------------------------------------

it is even not easy for "ls" to display them , nor easy to remove them at once

can i know what are these files about ??
and do they introduce any security or performance risk ?

**naguib2000** · 12-05-2005 04:09 PM

can any body help

**Jorel** · 12-05-2005 04:10 PM

you won't hurt anything by removing them. if they are owned by 'nobody' i would definitely remove them. i say kill 'em.

**naguib2000** · 12-05-2005 04:12 PM

thank you for your fast reply jorel

but i am really concerned , how are they generated , and what application do they relate to

**Jorel** · 12-05-2005 04:19 PM

i've encountered them on my server and when there get to be too many i just remove them. i'm not sure what script creates them but i'm pretty sure they are harmless. you can always try viewing one of them to check for any malicious code. just make sure there isn't anything else suspicious in there.

**yawsh** · 01-11-2007 07:07 AM

Any fix for this?

I'm having same problem now

**yawsh** · 01-11-2007 09:10 AM

The strange thing on it that I have deleted them all and noticed that its created back very fast.

Second thing is that it is 0 byte file - nothing in it.

PHP Code:


   0 -rw-------   1 nobody nobody       0 Jan 11 15:41 cdk76JBx8

   0 -rw-------   1 nobody nobody       0 Jan 11 15:41 cdk8FTD1B

   0 -rw-------   1 nobody nobody       0 Jan 11 15:41 cdkboDfEU

   0 -rw-------   1 nobody nobody       0 Jan 11 15:41 cdkbPKd1T

   0 -rw-------   1 nobody nobody       0 Jan 11 15:41 cdkjLLd0n

   0 -rw-------   1 nobody nobody       0 Jan 11 15:41 cdkkvG4CM

   0 -rw-------   1 nobody nobody       0 Jan 11 15:41 cdkMyLUmd

   0 -rw-------   1 nobody nobody       0 Jan 11 15:41 cdktVXAZT

Some files are 160 byte which having this code:

PHP Code:


<?php



require_once ('mysql.inc.php');

require_once ('getlang.php');





session_start();

$time_start = getmicrotime();

require_once ('functions.admin.php');



require_once ('upload.inc.php');

include_once ('templates/footer.html');





$time_end = getmicrotime();





ob_end_flush();

?>

I tried to find some of the code in /home

PHP Code:


find -type f -name '*.*' -exec grep -s getmicrotime() {} \; -print |more

and I got this result:

PHP Code:


   $lasttime=getmicrotime()-0.9;

 $currenttime=getmicrotime();

./xxxx/public_html/OLD_site/ibr/getroommsgs.php

           $timestm=getmicrotime();        

./xxxx/public_html/OLD_site/ibr/band4ever.php

         { $timestm=getmicrotime();        

./xxxx/public_html/OLD_site/ibr/sendmsgtoroom.php

function getmicrotime(){ 

./xxxx/public_html/OLD_site/ibr/func.php

           $timestm=getmicrotime();        

./xxxx/public_html/OLD_site/ibr/bandtmp.php

      $this->TimeStart = getmicrotime();

      $this->TimeTotal = @round(getmicrotime() - $this->TimeStart,4);

  function getmicrotime()

./xxxx/public_html/up/so.php

if (!function_exists("getmicrotime")) {function getmicrotime() {list($usec, $sec) = explode(" ", microtime()); return ((float)$use

c + (float)$sec);}}

define("starttime",getmicrotime());

    $ftpquick_st = getmicrotime();

    $ftpquick_t = round(getmicrotime()-$ftpquick_st,4);

  $searchtime = getmicrotime();

  $searchtime = round(getmicrotime()-$searchtime,4);

    $st = getmicrotime();

    $dt = round(getmicrotime()-$st,4);

<br><TABLE style="BORDER-COLLAPSE: collapse" height=1 cellSpacing=0 borderColorDark=#666666 cellPadding=0 width="100%" bgColor=#333333 borderColorLight=#c0c0c0 

border=1><tr><td width="990" height="1" valign="top"><p align="center"><b>--[ c99shell v. <?php echo $shver; ?> <a href="<?php echo $surl; ?>act=about"><u><b>po

wered by</b></u></a> Captain Crunch Security Team | <a href="http://ccteam.ru"><font color="#FF0000">http://ccteam.ru</font></a><font color="#FF0000"></font> | 

Generation time: <?php echo round(getmicrotime()-starttime,4); ?> ]--</b></p></td></tr></table>

./xxxx/public_html/up/dr.php.3gp

Which is somehow a shell is upladed -- >> dr.php.3gp

But till now I did not find any shell uploaded.

If it not that important, why /tmp is getting full within 2 days?
Then MySql stops working and creating many issues.

thanks for your reply HelloAdam

Any other commets on this guys?

**HelloAdam** · 01-11-2007 09:11 AM

Hey,

Its the /tmp folder what do you expect to be in their? Any program or script that is on your server is going to use that folder.

Should make sure that your /tmp have noexe on it.

From,
Adam