[hackcheck] Possible root compromise detected

alekid

Registered
Jun 18, 2011
2
0
51
I am getting the following mail:


Attempts to create new directories or files whose filenames begin with numbers have failed.
This is indicative of a root compromise of the server.

The exact error encountered was:

Failed to create directory /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb: File exists

that can ahcer about it?
 

whwrobert

Active Member
Aug 21, 2009
26
0
51
USA
I am getting the following mail:


Attempts to create new directories or files whose filenames begin with numbers have failed.
This is indicative of a root compromise of the server.

The exact error encountered was:

Failed to create directory /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb: File exists

that can ahcer about it?
When are you getting this mail, is it cpanel sending this mail ?
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
I also wouldn't suggest deleting it, check permissions and cat the file:

Code:
ls -lah /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb
lsattr /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb
cat /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb
 
Jul 30, 2011
11
0
51
India
cPanel Access Level
Root Administrator
Looks like your /usr/tmpDSK is corrupted. You should stop all processes that have files open on /tmp such as MySQL and other applications using:

/usr/sbin/lsof /tmp

Run the following commands (in that order):

/bin/umount -l /tmp
/bin/umount -l /var/tmp
/bin/rm -fv /usr/tmpDSK

/scripts/securetmp

This should create a new /tmp partition for you, restart apache and mysql and you won't face the same issue again.