The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[hackcheck] Possible root compromise detected

Discussion in 'Security' started by alekid, Jul 24, 2011.

  1. alekid

    alekid Registered

    Joined:
    Jun 18, 2011
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    I am getting the following mail:


    Attempts to create new directories or files whose filenames begin with numbers have failed.
    This is indicative of a root compromise of the server.

    The exact error encountered was:

    Failed to create directory /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb: File exists

    that can ahcer about it?
     
  2. whwrobert

    whwrobert Active Member

    Joined:
    Aug 21, 2009
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    Check if /tmp is in readonly mode, if it is is in readonly mode it will not create files there also your mysql may also go down.
     
  3. gvard

    gvard Well-Known Member
    PartnerNOC

    Joined:
    Dec 22, 2003
    Messages:
    195
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Athens/GREECE
    cPanel Access Level:
    DataCenter Provider
    Hello,

    Try typing
    Code:
    mkdir /tmp/1
    
    and let us know of the results. If you cannot create this directory (and of course it doesn't exist already), then there might be a 'suckit' rootkit situation.
     
  4. alekid

    alekid Registered

    Joined:
    Jun 18, 2011
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    I can write. the folder was created successfully
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,453
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I'm curious about that file, doesn't seem normal to me and has a funny smell [;)], can you delete it?
     
  6. whwrobert

    whwrobert Active Member

    Joined:
    Aug 21, 2009
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    When are you getting this mail, is it cpanel sending this mail ?
     
  7. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Delete it? If it were me I'd look at the contents first. That could very well give an indication whether or not it is malicious.
     
  8. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    I also wouldn't suggest deleting it, check permissions and cat the file:

    Code:
    ls -lah /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb
    lsattr /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb
    cat /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb
     
  9. ultimatehosting

    Joined:
    Jul 30, 2011
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Looks like your /usr/tmpDSK is corrupted. You should stop all processes that have files open on /tmp such as MySQL and other applications using:

    /usr/sbin/lsof /tmp

    Run the following commands (in that order):

    /bin/umount -l /tmp
    /bin/umount -l /var/tmp
    /bin/rm -fv /usr/tmpDSK

    /scripts/securetmp

    This should create a new /tmp partition for you, restart apache and mysql and you won't face the same issue again.
     
  10. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    938
    Likes Received:
    0
    Trophy Points:
    16
Loading...

Share This Page