apache user submitting file /tmp (exploit)

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
The following should do this:
Code:
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
securetmp forces it to be remounted with the nosuid option. This forces a process to run with the same privileges of the user who executes it. It does not keep a user from being able to send mail via a script Tips to Make Your Server More Secure | cPanel & WHM Documentation
 

daemoncesar

Well-Known Member
Aug 28, 2013
72
0
6
cPanel Access Level
Root Administrator
[[email protected] ~]# grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
1
1 /home/artelaje/public_html/site/contato
1 /home/blubiers/public_html
2 /home/chiodini/public_html
3 /home/demasul/public_html
4 /usr/local/cpanel/whostmgr/docroot
5 /root
10 /home/grupostarke/public_html
12 /home/babybear/public_html/wp-admin
16 /home/portecsc/public_html/scripts
25 /home/fortcom/public_html
36 /home/babybear/public_html
142 /
[[email protected] ~]#
 

daemoncesar

Well-Known Member
Aug 28, 2013
72
0
6
cPanel Access Level
Root Administrator
The above command accounts, which may be vulnerable ?

Code:
1 /home/artelaje/public_html/site/contato

1 /home/blubiers/public_html

2 /home/chiodini/public_html

3 /home/demasul/public_html

4 /usr/local/cpanel/whostmgr/docroot

5 /root

10 /home/grupostarke/public_html

12 /home/babybear/public_html/wp-admin

16 /home/portecsc/public_html/scripts

25 /home/fortcom/public_html

36 /home/babybear/public_html

142 /
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
Hello,


I'd have no way to know this, you need to look at the scripts in those directories. If you're not sure how to do this you need to enlist the assistance of a qualified system administrator. If you don't have one you might find one here: System Administration Services.