[hackcheck] Possible root compromise detected

alekid

Registered
Jun 18, 2011
2
0
51
I am getting the following mail:


Attempts to create new directories or files whose filenames begin with numbers have failed.
This is indicative of a root compromise of the server.

The exact error encountered was:

Failed to create directory /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb: File exists

that can ahcer about it?
 

whwrobert

Active Member
Aug 21, 2009
26
0
51
USA
I am getting the following mail:


Attempts to create new directories or files whose filenames begin with numbers have failed.
This is indicative of a root compromise of the server.

The exact error encountered was:

Failed to create directory /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb: File exists

that can ahcer about it?
When are you getting this mail, is it cpanel sending this mail ?
 

mtindor

Well-Known Member
Sep 14, 2004
1,452
110
193
inside a catfish
cPanel Access Level
Root Administrator
Delete it? If it were me I'd look at the contents first. That could very well give an indication whether or not it is malicious.
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
42
348
somewhere over the rainbow
cPanel Access Level
Root Administrator
I also wouldn't suggest deleting it, check permissions and cat the file:

Code:
ls -lah /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb
lsattr /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb
cat /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb
 
Jul 30, 2011
11
0
51
India
cPanel Access Level
Root Administrator
Looks like your /usr/tmpDSK is corrupted. You should stop all processes that have files open on /tmp such as MySQL and other applications using:

/usr/sbin/lsof /tmp

Run the following commands (in that order):

/bin/umount -l /tmp
/bin/umount -l /var/tmp
/bin/rm -fv /usr/tmpDSK

/scripts/securetmp

This should create a new /tmp partition for you, restart apache and mysql and you won't face the same issue again.