The following should do this:
securetmp forces it to be remounted with the nosuid option. This forces a process to run with the same privileges of the user who executes it. It does not keep a user from being able to send mail via a script Tips to Make Your Server More Secure | cPanel & WHM Documentation
Code:
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n[root@kepler ~]# grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
1
1 /home/artelaje/public_html/site/contato
1 /home/blubiers/public_html
2 /home/chiodini/public_html
3 /home/demasul/public_html
4 /usr/local/cpanel/whostmgr/docroot
5 /root
10 /home/grupostarke/public_html
12 /home/babybear/public_html/wp-admin
16 /home/portecsc/public_html/scripts
25 /home/fortcom/public_html
36 /home/babybear/public_html
142 /
[root@kepler ~]#
1
1 /home/artelaje/public_html/site/contato
1 /home/blubiers/public_html
2 /home/chiodini/public_html
3 /home/demasul/public_html
4 /usr/local/cpanel/whostmgr/docroot
5 /root
10 /home/grupostarke/public_html
12 /home/babybear/public_html/wp-admin
16 /home/portecsc/public_html/scripts
25 /home/fortcom/public_html
36 /home/babybear/public_html
142 /
[root@kepler ~]#
There's nothing stopping you from running
/scripts/securetmp but it will not stop this behavior. None of your users is sending "from" tmp
You need to look for the script in the directory mail is originating from as I suggested earlier.
The above command accounts, which may be vulnerable ?
Code:
1 /home/artelaje/public_html/site/contato
1 /home/blubiers/public_html
2 /home/chiodini/public_html
3 /home/demasul/public_html
4 /usr/local/cpanel/whostmgr/docroot
5 /root
10 /home/grupostarke/public_html
12 /home/babybear/public_html/wp-admin
16 /home/portecsc/public_html/scripts
25 /home/fortcom/public_html
36 /home/babybear/public_html
142 /Hello,
I'd have no way to know this, you need to look at the scripts in those directories. If you're not sure how to do this you need to enlist the assistance of a qualified system administrator. If you don't have one you might find one here: System Administration Services.
I'd have no way to know this, you need to look at the scripts in those directories. If you're not sure how to do this you need to enlist the assistance of a qualified system administrator. If you don't have one you might find one here: System Administration Services.
I already scanned the server.
It has malware in wordpress files.
I just want to know which files are sending to /tmp
It has malware in wordpress files.
I just want to know which files are sending to /tmp
Do you have a problem disabling commands (wget, curl, lynx) and putting permission only for root?
