The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Files In /tmp with names like undo.#prelink#.1i4VZ5

Discussion in 'Security' started by celiac101, Dec 30, 2014.

  1. celiac101

    celiac101 Active Member

    Joined:
    Dec 19, 2012
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Website Owner
    Recently I noticed some strange files appearing and disappearing in /tmp. They typically look like this:
    user user 467K Nov 18 01:26 undo.#prelink#.1iytZ5
    and are owned by the main user of the sites I run on the server.

    After much searching and reading, this thread seems to sum it up best, but offers no final conclusion:
    Strange /tmp/undo.#prelink#.XXXXXXXX files in /tmp - Hosting Security and Technology - Web Hosting Talk

    It appears they are associated with: "dovecot is doing a prelink command on cPanel machines". I do use Dovecot and cPanel, so perhaps these are nothing to worry about, however, last night my server crashed for the first time in years, and in /tmp there where dozens of these type of files, which I deleted. The do come back after deletion, and have different names.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Could you review /var/log/messages and /var/log/dmesg and see if there is any particular output just before your server rebooted?

    Thank you.
     
  3. celiac101

    celiac101 Active Member

    Joined:
    Dec 19, 2012
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Website Owner
    Sorry it took so long...for the first one /var/log/messages I see this type of output:

    Code:
    Jan  4 03:28:31 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=77.54.45.119 DST=198.24.145.124 LEN=52 TOS=0x08 PREC=0x40 TTL=112 ID=9486 DF PROTO=TCP SPT=50064 DPT=80 WINDOW=8192 RES=0$
    Jan  4 03:28:31 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=77.54.45.119 DST=198.24.145.124 LEN=52 TOS=0x08 PREC=0x40 TTL=112 ID=9487 DF PROTO=TCP SPT=50065 DPT=80 WINDOW=8192 RES=0$
    Jan  4 03:28:31 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=77.54.45.119 DST=198.24.145.124 LEN=52 TOS=0x08 PREC=0x40 TTL=112 ID=9491 DF PROTO=TCP SPT=50068 DPT=80 WINDOW=8192 RES=0$
    Jan  4 03:28:31 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=77.54.45.119 DST=198.24.145.124 LEN=52 TOS=0x08 PREC=0x40 TTL=112 ID=9483 DF PROTO=TCP SPT=50061 DPT=80 WINDOW=8192 RES=0$
    Jan  4 03:28:31 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=77.54.45.119 DST=198.24.145.124 LEN=52 TOS=0x08 PREC=0x40 TTL=112 ID=9485 DF PROTO=TCP SPT=50063 DPT=80 WINDOW=8192 RES=0$
    Jan  4 03:28:34 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=77.54.45.119 DST=198.24.145.124 LEN=52 TOS=0x08 PREC=0x40 TTL=112 ID=9691 DF PROTO=TCP SPT=50065 DPT=80 WINDOW=8192 RES=0$
    Jan  4 03:28:36 scott kernel: Firewall: *UDP_IN Blocked* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=93.174.93.210 DST=209.188.8.93 LEN=118 TOS=0x00 PREC=0x00 TTL=247 ID=54321 PROTO=UDP SPT=56047 DPT=1900 LEN=98
    Jan  4 03:28:42 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=77.54.45.119 DST=198.24.145.124 LEN=48 TOS=0x08 PREC=0x40 TTL=112 ID=9812 DF PROTO=TCP SPT=50082 DPT=80 WINDOW=8192 RES=0$
    Jan  4 03:28:42 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=77.54.45.119 DST=198.24.145.124 LEN=48 TOS=0x08 PREC=0x40 TTL=112 ID=9813 DF PROTO=TCP SPT=50083 DPT=80 WINDOW=8192 RES=0$
    Jan  4 03:28:42 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=77.54.45.119 DST=198.24.145.124 LEN=48 TOS=0x08 PREC=0x40 TTL=112 ID=9814 DF PROTO=TCP SPT=50084 DPT=80 WINDOW=8192 RES=0$
    Jan  4 03:28:42 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=77.54.45.119 DST=198.24.145.124 LEN=48 TOS=0x08 PREC=0x40 TTL=112 ID=9815 DF PROTO=TCP SPT=50085 DPT=80 WINDOW=8192 RES=0$
    Jan  4 03:28:43 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=77.54.45.119 DST=198.24.145.124 LEN=48 TOS=0x08 PREC=0x40 TTL=112 ID=9860 DF PROTO=TCP SPT=50097 DPT=80 WINDOW=8192 RES=0$
    Jan  4 03:28:45 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=77.54.45.119 DST=198.24.145.124 LEN=48 TOS=0x08 PREC=0x40 TTL=112 ID=9928 DF PROTO=TCP SPT=50082 DPT=80 WINDOW=8192 RES=0$
    Jan  4 03:29:07 scott kernel: Firewall: *TCP_IN Blocked* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=93.174.93.218 DST=209.188.8.94 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=54321 PROTO=TCP SPT=49702 DPT=8080 WINDOW=65535 R$
    Jan  4 03:30:08 scott lfd[31149]: SYSLOG check [a2ZWR7H1G2CQcRO]
    Jan  4 03:30:26 scott pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Jan  4 03:30:26 scott pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    Jan  4 03:31:17 scott kernel: Firewall: *TCP_IN Blocked* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=93.174.93.51 DST=198.24.145.124 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=54321 PROTO=TCP SPT=33258 DPT=2009 WINDOW=65535 $
    Jan  4 03:33:07 scott kernel: Firewall: *TCP_IN Blocked* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=23.95.12.34 DST=198.24.145.126 LEN=40 TOS=0x08 PREC=0x20 TTL=237 ID=58901 PROTO=TCP SPT=43102 DPT=23 WINDOW=1024 RES=$
    Jan  4 03:34:25 scott kernel: Firewall: *UDP_IN Blocked* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=198.245.66.219 DST=198.24.145.122 LEN=432 TOS=0x08 PREC=0x20 TTL=46 ID=0 DF PROTO=UDP SPT=5325 DPT=5060 LEN=412
    Jan  4 03:34:25 scott kernel: Firewall: *UDP_IN Blocked* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=198.245.66.219 DST=198.24.145.123 LEN=431 TOS=0x08 PREC=0x20 TTL=46 ID=0 DF PROTO=UDP SPT=5325 DPT=5060 LEN=411
    Jan  4 03:34:25 scott kernel: Firewall: *UDP_IN Blocked* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=198.245.66.219 DST=198.24.145.124 LEN=431 TOS=0x08 PREC=0x20 TTL=46 ID=0 DF PROTO=UDP SPT=5325 DPT=5060 LEN=411
    Jan  4 03:34:25 scott kernel: Firewall: *UDP_IN Blocked* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=198.245.66.219 DST=198.24.145.125 LEN=431 TOS=0x08 PREC=0x20 TTL=46 ID=0 DF PROTO=UDP SPT=5325 DPT=5060 LEN=411
    Jan  4 03:34:25 scott kernel: Firewall: *UDP_IN Blocked* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=198.245.66.219 DST=198.24.145.126 LEN=425 TOS=0x08 PREC=0x20 TTL=46 ID=0 DF PROTO=UDP SPT=5325 DPT=5060 LEN=405
    Jan  4 03:34:29 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=213.205.253.93 DST=198.24.145.124 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=37314 DF PROTO=TCP SPT=58997 DPT=80 WINDOW=14600 RE$
    Jan  4 03:34:29 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=213.205.253.93 DST=198.24.145.124 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=55711 DF PROTO=TCP SPT=63129 DPT=80 WINDOW=14600 RE$
    Jan  4 03:34:30 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=213.205.253.93 DST=198.24.145.124 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=5093 DF PROTO=TCP SPT=55118 DPT=80 WINDOW=14600 RES$
    Jan  4 03:34:30 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=213.205.253.93 DST=198.24.145.124 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=37315 DF PROTO=TCP SPT=58997 DPT=80 WINDOW=14600 RE$
    Jan  4 03:34:30 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=213.205.253.93 DST=198.24.145.124 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=55712 DF PROTO=TCP SPT=63129 DPT=80 WINDOW=14600 RE$
    Jan  4 03:34:32 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=213.205.253.93 DST=198.24.145.124 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=37316 DF PROTO=TCP SPT=58997 DPT=80 WINDOW=14600 RE$
    Jan  4 03:35:08 scott lfd[31149]: SYSLOG check [mYfSJfyQzMWZCk6gc0O7fnIgpa]
    Jan  4 03:35:09 scott kernel: Firewall: *TCP_IN Blocked* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=58.83.146.252 DST=209.188.8.92 LEN=48 TOS=0x00 PREC=0x00 TTL=106 ID=39433 PROTO=TCP SPT=30468 DPT=22 WINDOW=65535 RES$
    Jan  4 03:35:13 scott kernel: Firewall: *TCP_IN Blocked* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=23.95.12.34 DST=198.24.145.124 LEN=40 TOS=0x08 PREC=0x20 TTL=238 ID=55404 PROTO=TCP SPT=43102 DPT=23 WINDOW=1024 RES=$
    Jan  4 03:35:28 scott pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Jan  4 03:35:28 scott pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    Jan  4 03:36:22 scott named[31231]: client 207.219.56.130#59839: view external: query (cache) '171.3.10.10.in-addr.arpa/PTR/IN' denied
    
    and for /var/log/dmesg I see:

    Code:
    Initializing cgroup subsys cpuset
    Initializing cgroup subsys cpu
    Linux version 2.6.32-504.3.3.el6.x86_64 (mockbuild@cdb8.bsys.dev.centos.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-11) (GCC) ) #1 SMP Wed Dec 17 01:55:02 UTC 2014
    Command line: ro root=UUID=4d2fbd0b-1216-42cd-b015fgd977d3434 rd_NO_LUKS rd_NO_LVM LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
    KERNEL supported cpus:
      Intel GenuineIntel
      AMD AuthenticAMD
      Centaur CentaurHauls
    BIOS-provided physical RAM map:
     BIOS-e820: 0000000000000000 - 000000000009b400 (usable)
     BIOS-e820: 000000000009b400 - 00000000000a0000 (reserved)
     BIOS-e820: 00000000000e0000 - 0000000000100000 (reserved)
     BIOS-e820: 0000000000100000 - 000000007e413000 (usable)
     BIOS-e820: 000000007e413000 - 000000007e532000 (ACPI NVS)
     BIOS-e820: 000000007e532000 - 000000007f1cb000 (reserved)
     BIOS-e820: 000000007f1cb000 - 000000007f245000 (ACPI data)
     BIOS-e820: 000000007f245000 - 000000007f334000 (reserved)
     BIOS-e820: 000000007f334000 - 000000007f335000 (ACPI NVS)
     BIOS-e820: 000000007f335000 - 000000007f33a000 (reserved)
     BIOS-e820: 000000007f33a000 - 000000007f342000 (ACPI NVS)
     BIOS-e820: 000000007f342000 - 000000007f36b000 (reserved)
     BIOS-e820: 000000007f36b000 - 000000007f800000 (ACPI NVS)
     BIOS-e820: 0000000080000000 - 0000000090000000 (reserved)
     BIOS-e820: 00000000fed1c000 - 00000000fed40000 (reserved)
     BIOS-e820: 00000000ff000000 - 0000000100000000 (reserved)
     BIOS-e820: 0000000100000000 - 0000001080000000 (usable)
    DMI 2.7 present.
    SMBIOS version 2.7 @ 0xF04C0
    DMI: Supermicro X9DRW/X9DRW, BIOS 1.0a 04/26/2012
    AMI BIOS detected: BIOS may corrupt low RAM, working around it.
    e820 update range: 0000000000000000 - 0000000000010000 (usable) ==> (reserved)
    e820 update range: 0000000000000000 - 0000000000001000 (usable) ==> (reserved)
    e820 remove range: 00000000000a0000 - 0000000000100000 (usable)
    last_pfn = 0x1080000 max_arch_pfn = 0x400000000
    MTRR default type: uncachable
    MTRR fixed ranges enabled:
      00000-9FFFF write-back
      A0000-BFFFF uncachable
      C0000-FFFFF write-protect
    MTRR variable ranges enabled:
      0 base 000000000000 mask 3FF000000000 write-back
      1 base 001000000000 mask 3FFF80000000 write-back
      2 base 000080000000 mask 3FFF80000000 uncachable
      3 disabled
      4 disabled
      5 disabled
      6 disabled
      7 disabled
      8 disabled
      9 disabled
    x86 PAT enabled: cpu 0, old 0x7040600070406, new 0x7010600070106
    original variable MTRRs
    reg 0, base: 0GB, range: 64GB, type WB
    reg 1, base: 64GB, range: 2GB, type WB
    reg 2, base: 2GB, range: 2GB, type UC
    total RAM covered: 65536M
    Found optimal setting for mtrr clean up
     
    #3 celiac101, Jan 6, 2015
    Last edited: Jan 6, 2015
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Was that the most recent output, or the output just before your server rebooted? Has it happened anymore since this time? You may want to consult with your data center if it continues to be an issue, as I don't see anything cPanel-related causing a reboot.

    Thank you.
     
Loading...

Share This Page