The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

directory in /tmp disappearing after a while...

Discussion in 'General Discussion' started by carock, Mar 27, 2007.

  1. carock

    carock Well-Known Member

    Joined:
    Sep 25, 2002
    Messages:
    232
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    St. Charles, MO
    I have a wierd problem. I can't tell if it's a malicious attacker, or some housekeeping cPanel is doing.

    I installed mod_bandwidth, and recently, every couple of days, my /tmp/apachebw direcotry is being removed from the /tmp directory.

    After this happens, if Apache restarts for some reason, it won't come back up because the directory is missing.

    This has happened twice in the last four days. I even tried renaming the directory to something non-standard, but it was still deleted. This is what leads me to believe it's malicious as it's the only thing deleted from /tmp.

    Aside from creating a cron script to check whether it exists and recreate it, can anyone help me figure out if it's a cPanel process or some jerk?

    Thanks,
    Chuck
     
  2. viraj

    viraj Well-Known Member

    Joined:
    Sep 28, 2006
    Messages:
    209
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Chuck,

    Is the /tmp partition secured on your server? If not, then you may be in trouble...as hackers may exploit the /tmp partition & that may cause havoc on your server later. Check the logs that may mention something related to these events...

    First get it secured by running this simple cPanel script from SSH as root '/scripts/securetmp'
    -- OR --
    By referring the following URL : http://www.etechsupport.net/forum/showthread.php?t=599

    AFAIK : There is no such cron/process to remove any files from the /tmp... err cPanel housekeeping :)
     
  3. sleddog

    sleddog Active Member

    Joined:
    Jun 13, 2004
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Labrador, Canada
    The tmpwatch program is designed to remove old files from /tmp (and other directories) and is run as a daily system cronjob from /etc/cron.daily/tmpwatch (at least on Redhat/CentOS machines).
     
  4. carock

    carock Well-Known Member

    Joined:
    Sep 25, 2002
    Messages:
    232
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    St. Charles, MO
    I do have /tmp secured, and I went ahead and added the directory to the tmpwatch script anyway.

    I have another server that doesn't have this problem with same O/S and cPanel/WHM.

    As far as security goes, the /tmp directory for mod_bandwidth has to have rwx for user nobody or the module doesn't work.

    I have /tmp/apachemod_bw as the directory named in my Apache config, so that directory is 777 perms within /tmp

    drwxrwxrwx 4 nobody nobody 4096 Mar 27 09:33 apachemod_bw/

    No matter how secure /tmp is, 777 makes that one directory vulnerable doesn't it? The module won't work though unless the apache process can write to those directories.

    Chuck
     
Loading...

Share This Page