Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

file owned by 'nobody' in my /tmp

Discussion in 'General Discussion' started by Jorel, Sep 26, 2005.

  1. Jorel

    Jorel Well-Known Member

    Joined:
    Aug 15, 2003
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    156
    ./securetmp and such has been run but obviously that doesn't stop everything. i keep seeing this file owned by 'nobdoy' get dumped into my /tmp (it reappears later after its been removed) so I'm guessing it's some sort of Phorum exploit. Here's the file but my question is how do I stop this from happening? I have the addon script manager installed and everything's up-to-date but Phorum isn't an addon script. How can I detect Phorum and delete/upgrade insecure installations?

    Thanks in advance for any help that can be offered.

    tpl-default-index-062c88123537dc87b6fc66e239e62a3e.php

    Code:
    <?php if(!defined("PHORUM")) return; ?>
    <div class="PhorumNavBlock">
    <span class="PhorumNavHeading"><?php echo $PHORUM['DATA']['LANG']['Goto']; ?>:</span>&nbsp;<a class="PhorumNavLink" href="<?php echo $PHORUM['DATA']['URL']['INDEX']; ?>"><?php echo $PHORUM['DATA']['LANG']['ForumList']; ?></a>&bull;<a class="PhorumNavLink" href="<?php echo $PHORUM['DATA']['URL']['SEARCH']; ?>"><?php echo $PHORUM['DATA']['LANG']['Search']; ?></a><?php if(isset($PHORUM['DATA']['LOGGEDIN']) && $PHORUM['DATA']['LOGGEDIN']==true){ ?>&bull;<a class="PhorumNavLink" href="<?php echo $PHORUM['DATA']['URL']['REGISTERPROFILE']; ?>"><?php echo $PHORUM['DATA']['LANG']['MyProfile']; ?></a><?php if(isset($PHORUM['DATA']['ENABLE_PM']) && !empty($PHORUM['DATA']['ENABLE_PM'])){ ?>&bull;<a class="PhorumNavLink" href="<?php echo $PHORUM['DATA']['PRIVATE_MESSAGES']['inbox_url']; ?>"><?php echo $PHORUM['DATA']['LANG']['PrivateMessages']; ?></a><?php } ?>&bull;<a class="PhorumNavLink" href="<?php echo $PHORUM['DATA']['URL']['LOGINOUT']; ?>"><?php echo $PHORUM['DATA']['LANG']['LogOut']; ?></a><?php } ?><?php if(isset($PHORUM['DATA']['LOGGEDIN']) && $PHORUM['DATA']['LOGGEDIN']==false){ ?>&bull;<a class="PhorumNavLink" href="<?php echo $PHORUM['DATA']['URL']['LOGINOUT']; ?>"><?php echo $PHORUM['DATA']['LANG']['LogIn']; ?></a><?php } ?>&bull;<a class="PhorumNavLink" href="allusers.php">All Users</a>
    </div>
    
    <div class="PhorumStdBlockHeader PhorumHeaderText">
    <div class="PhorumColumnFloatLarge"><?php echo $PHORUM['DATA']['LANG']['LastPost']; ?></div>
    <div class="PhorumColumnFloatSmall"><?php echo $PHORUM['DATA']['LANG']['Posts']; ?></div>
    <div class="PhorumColumnFloatSmall"><?php echo $PHORUM['DATA']['LANG']['Threads']; ?></div>
    <div style="margin-right: 425px"><?php echo $PHORUM['DATA']['LANG']['Forums']; ?></div>
    </div>
    <?php
    $rclass="Alt";
    ?>
    <div class="PhorumStdBlock">
    <?php if(isset($PHORUM['DATA']['FORUMS']) && is_array($PHORUM['DATA']['FORUMS'])) foreach($PHORUM['DATA']['FORUMS'] as $PHORUM['TMP']['FORUMS']){ ?>
    <?php
      if($rclass=="Alt")
        $rclass="";
      else
        $rclass="Alt";
    ?>
    <div class="PhorumRowBlock<?php echo $rclass;?>">
    <?php if(isset($PHORUM['TMP']['FORUMS']['folder_flag']) && !empty($PHORUM['TMP']['FORUMS']['folder_flag'])){ ?>
    <div class="PhorumColumnFloatXLarge"><?php echo $PHORUM['DATA']['LANG']['ForumFolder']; ?></div>
    <?php } else { ?>
    <div class="PhorumColumnFloatLarge"><?php echo $PHORUM['TMP']['FORUMS']['last_post']; ?>&nbsp;</div>
    <div class="PhorumColumnFloatSmall"><?php echo $PHORUM['TMP']['FORUMS']['message_count']; ?><?php if(isset($PHORUM['TMP']['FORUMS']['new_messages']) && !empty($PHORUM['TMP']['FORUMS']['new_messages'])){ ?> (<span class="PhorumNewFlag"><?php echo $PHORUM['TMP']['FORUMS']['new_messages']; ?> <?php echo $PHORUM['DATA']['LANG']['newflag']; ?></span>)<?php } ?></div>
    <div class="PhorumColumnFloatSmall"><?php echo $PHORUM['TMP']['FORUMS']['thread_count']; ?><?php if(isset($PHORUM['TMP']['FORUMS']['new_threads']) && !empty($PHORUM['TMP']['FORUMS']['new_threads'])){ ?> (<span class="PhorumNewFlag"><?php echo $PHORUM['TMP']['FORUMS']['new_threads']; ?> <?php echo $PHORUM['DATA']['LANG']['newflag']; ?></span>)<?php } ?></div>
    <?php } ?>
    <div style="margin-right: 425px" class="PhorumLargeFont"><a href="<?php echo $PHORUM['TMP']['FORUMS']['url']; ?>"><?php echo $PHORUM['TMP']['FORUMS']['name']; ?></a></div>
    <div style="margin-right: 425px" class="PhorumFloatingText"><?php echo $PHORUM['TMP']['FORUMS']['description']; ?></div>
    </div>
    <?php } unset($PHORUM['TMP']['FORUMS']); ?>
    </div>
    
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,470
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    You're probably better off asking the developer of the script application if they have a version that does not do that.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Jorel

    Jorel Well-Known Member

    Joined:
    Aug 15, 2003
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    156
    The script drops that in there? I just figured its part of an exploit.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,470
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    Doesn't look like an exploit.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice