The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

file owned by 'nobody' in my /tmp

Discussion in 'General Discussion' started by Jorel, Sep 26, 2005.

  1. Jorel

    Jorel Well-Known Member

    Joined:
    Aug 15, 2003
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    ./securetmp and such has been run but obviously that doesn't stop everything. i keep seeing this file owned by 'nobdoy' get dumped into my /tmp (it reappears later after its been removed) so I'm guessing it's some sort of Phorum exploit. Here's the file but my question is how do I stop this from happening? I have the addon script manager installed and everything's up-to-date but Phorum isn't an addon script. How can I detect Phorum and delete/upgrade insecure installations?

    Thanks in advance for any help that can be offered.

    tpl-default-index-062c88123537dc87b6fc66e239e62a3e.php

    Code:
    <?php if(!defined("PHORUM")) return; ?>
    <div class="PhorumNavBlock">
    <span class="PhorumNavHeading"><?php echo $PHORUM['DATA']['LANG']['Goto']; ?>:</span>&nbsp;<a class="PhorumNavLink" href="<?php echo $PHORUM['DATA']['URL']['INDEX']; ?>"><?php echo $PHORUM['DATA']['LANG']['ForumList']; ?></a>&bull;<a class="PhorumNavLink" href="<?php echo $PHORUM['DATA']['URL']['SEARCH']; ?>"><?php echo $PHORUM['DATA']['LANG']['Search']; ?></a><?php if(isset($PHORUM['DATA']['LOGGEDIN']) && $PHORUM['DATA']['LOGGEDIN']==true){ ?>&bull;<a class="PhorumNavLink" href="<?php echo $PHORUM['DATA']['URL']['REGISTERPROFILE']; ?>"><?php echo $PHORUM['DATA']['LANG']['MyProfile']; ?></a><?php if(isset($PHORUM['DATA']['ENABLE_PM']) && !empty($PHORUM['DATA']['ENABLE_PM'])){ ?>&bull;<a class="PhorumNavLink" href="<?php echo $PHORUM['DATA']['PRIVATE_MESSAGES']['inbox_url']; ?>"><?php echo $PHORUM['DATA']['LANG']['PrivateMessages']; ?></a><?php } ?>&bull;<a class="PhorumNavLink" href="<?php echo $PHORUM['DATA']['URL']['LOGINOUT']; ?>"><?php echo $PHORUM['DATA']['LANG']['LogOut']; ?></a><?php } ?><?php if(isset($PHORUM['DATA']['LOGGEDIN']) && $PHORUM['DATA']['LOGGEDIN']==false){ ?>&bull;<a class="PhorumNavLink" href="<?php echo $PHORUM['DATA']['URL']['LOGINOUT']; ?>"><?php echo $PHORUM['DATA']['LANG']['LogIn']; ?></a><?php } ?>&bull;<a class="PhorumNavLink" href="allusers.php">All Users</a>
    </div>
    
    <div class="PhorumStdBlockHeader PhorumHeaderText">
    <div class="PhorumColumnFloatLarge"><?php echo $PHORUM['DATA']['LANG']['LastPost']; ?></div>
    <div class="PhorumColumnFloatSmall"><?php echo $PHORUM['DATA']['LANG']['Posts']; ?></div>
    <div class="PhorumColumnFloatSmall"><?php echo $PHORUM['DATA']['LANG']['Threads']; ?></div>
    <div style="margin-right: 425px"><?php echo $PHORUM['DATA']['LANG']['Forums']; ?></div>
    </div>
    <?php
    $rclass="Alt";
    ?>
    <div class="PhorumStdBlock">
    <?php if(isset($PHORUM['DATA']['FORUMS']) && is_array($PHORUM['DATA']['FORUMS'])) foreach($PHORUM['DATA']['FORUMS'] as $PHORUM['TMP']['FORUMS']){ ?>
    <?php
      if($rclass=="Alt")
        $rclass="";
      else
        $rclass="Alt";
    ?>
    <div class="PhorumRowBlock<?php echo $rclass;?>">
    <?php if(isset($PHORUM['TMP']['FORUMS']['folder_flag']) && !empty($PHORUM['TMP']['FORUMS']['folder_flag'])){ ?>
    <div class="PhorumColumnFloatXLarge"><?php echo $PHORUM['DATA']['LANG']['ForumFolder']; ?></div>
    <?php } else { ?>
    <div class="PhorumColumnFloatLarge"><?php echo $PHORUM['TMP']['FORUMS']['last_post']; ?>&nbsp;</div>
    <div class="PhorumColumnFloatSmall"><?php echo $PHORUM['TMP']['FORUMS']['message_count']; ?><?php if(isset($PHORUM['TMP']['FORUMS']['new_messages']) && !empty($PHORUM['TMP']['FORUMS']['new_messages'])){ ?> (<span class="PhorumNewFlag"><?php echo $PHORUM['TMP']['FORUMS']['new_messages']; ?> <?php echo $PHORUM['DATA']['LANG']['newflag']; ?></span>)<?php } ?></div>
    <div class="PhorumColumnFloatSmall"><?php echo $PHORUM['TMP']['FORUMS']['thread_count']; ?><?php if(isset($PHORUM['TMP']['FORUMS']['new_threads']) && !empty($PHORUM['TMP']['FORUMS']['new_threads'])){ ?> (<span class="PhorumNewFlag"><?php echo $PHORUM['TMP']['FORUMS']['new_threads']; ?> <?php echo $PHORUM['DATA']['LANG']['newflag']; ?></span>)<?php } ?></div>
    <?php } ?>
    <div style="margin-right: 425px" class="PhorumLargeFont"><a href="<?php echo $PHORUM['TMP']['FORUMS']['url']; ?>"><?php echo $PHORUM['TMP']['FORUMS']['name']; ?></a></div>
    <div style="margin-right: 425px" class="PhorumFloatingText"><?php echo $PHORUM['TMP']['FORUMS']['description']; ?></div>
    </div>
    <?php } unset($PHORUM['TMP']['FORUMS']); ?>
    </div>
    
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You're probably better off asking the developer of the script application if they have a version that does not do that.
     
  3. Jorel

    Jorel Well-Known Member

    Joined:
    Aug 15, 2003
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    The script drops that in there? I just figured its part of an exploit.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Doesn't look like an exploit.
     
Loading...

Share This Page