directory in /tmp disappearing after a while...

carock

Well-Known Member
Sep 25, 2002
266
9
168
St. Charles, MO
I have a wierd problem. I can't tell if it's a malicious attacker, or some housekeeping cPanel is doing.

I installed mod_bandwidth, and recently, every couple of days, my /tmp/apachebw direcotry is being removed from the /tmp directory.

After this happens, if Apache restarts for some reason, it won't come back up because the directory is missing.

This has happened twice in the last four days. I even tried renaming the directory to something non-standard, but it was still deleted. This is what leads me to believe it's malicious as it's the only thing deleted from /tmp.

Aside from creating a cron script to check whether it exists and recreate it, can anyone help me figure out if it's a cPanel process or some jerk?

Thanks,
Chuck
 

viraj

Well-Known Member
Sep 28, 2006
209
3
168
India
cPanel Access Level
DataCenter Provider
Twitter
Chuck,

Is the /tmp partition secured on your server? If not, then you may be in trouble...as hackers may exploit the /tmp partition & that may cause havoc on your server later. Check the logs that may mention something related to these events...

First get it secured by running this simple cPanel script from SSH as root '/scripts/securetmp'
-- OR --
By referring the following URL : http://www.etechsupport.net/forum/showthread.php?t=599

AFAIK : There is no such cron/process to remove any files from the /tmp... err cPanel housekeeping :)
 

sleddog

Active Member
Jun 13, 2004
44
0
156
Labrador, Canada
The tmpwatch program is designed to remove old files from /tmp (and other directories) and is run as a daily system cronjob from /etc/cron.daily/tmpwatch (at least on Redhat/CentOS machines).
 

carock

Well-Known Member
Sep 25, 2002
266
9
168
St. Charles, MO
I do have /tmp secured, and I went ahead and added the directory to the tmpwatch script anyway.

I have another server that doesn't have this problem with same O/S and cPanel/WHM.

As far as security goes, the /tmp directory for mod_bandwidth has to have rwx for user nobody or the module doesn't work.

I have /tmp/apachemod_bw as the directory named in my Apache config, so that directory is 777 perms within /tmp

drwxrwxrwx 4 nobody nobody 4096 Mar 27 09:33 apachemod_bw/

No matter how secure /tmp is, 777 makes that one directory vulnerable doesn't it? The module won't work though unless the apache process can write to those directories.

Chuck