[hackcheck] Possible root compromise detected

alekid

Registered

Jul 24, 2011

#1

I am getting the following mail:

Attempts to create new directories or files whose filenames begin with numbers have failed.
This is indicative of a root compromise of the server.

The exact error encountered was:

Failed to create directory /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb: File exists

that can ahcer about it?

whwrobert

Active Member

Jul 25, 2011

#2

Check if /tmp is in readonly mode, if it is is in readonly mode it will not create files there also your mysql may also go down.

G

gvard

Well-Known Member

PartnerNOC

Jul 26, 2011

#3

Hello,

Try typing

Code:

mkdir /tmp/1

and let us know of the results. If you cannot create this directory (and of course it doesn't exist already), then there might be a 'suckit' rootkit situation.

A

alekid

Registered

Jul 26, 2011

#4

I can write. the folder was created successfully

I

Infopro

Well-Known Member

Jul 26, 2011

#5

Failed to create directory /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb: File exists

I'm curious about that file, doesn't seem normal to me and has a funny smell [

], can you delete it?

whwrobert

Active Member

Jul 26, 2011

#6

alekid said:
I am getting the following mail:

Attempts to create new directories or files whose filenames begin with numbers have failed.
This is indicative of a root compromise of the server.

The exact error encountered was:

Failed to create directory /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb: File exists

that can ahcer about it?

When are you getting this mail, is it cpanel sending this mail ?

M

mtindor

Well-Known Member

Jul 26, 2011

#7

Delete it? If it were me I'd look at the contents first. That could very well give an indication whether or not it is malicious.

cPanelTristan

Quality Assurance Analyst

Staff member

Jul 26, 2011

#8

I also wouldn't suggest deleting it, check permissions and cat the file:

Code:

ls -lah /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb
lsattr /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb
cat /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb

U

ultimatehosting

Member

Jul 30, 2011

#9

Looks like your /usr/tmpDSK is corrupted. You should stop all processes that have files open on /tmp such as MySQL and other applications using:

/usr/sbin/lsof /tmp

Run the following commands (in that order):

/bin/umount -l /tmp
/bin/umount -l /var/tmp
/bin/rm -fv /usr/tmpDSK

/scripts/securetmp

This should create a new /tmp partition for you, restart apache and mysql and you won't face the same issue again.

C

crazyaboutlinux

Well-Known Member

Jul 9, 2012

#10

Thank you All

Thread starter	Similar threads	Forum	Replies	Date
B	[cPanel hackcheck] has a uid 0 account	Security	12	Jun 17, 2015
R	Two hackcheck notice email	Security	14	Apr 18, 2012
L	Hackcheck	Security	4	Feb 7, 2012
E	[hackcheck] http has a uid 0 account	Security	9	Aug 3, 2011
B	[hackcheck] dbmysql has a uid 0 account‏	Security	3	May 24, 2011

Search

Search

[hackcheck] Possible root compromise detected

alekid

Registered

whwrobert

Active Member

gvard

Well-Known Member

alekid

Registered

Infopro

Well-Known Member

whwrobert

Active Member

mtindor

Well-Known Member

cPanelTristan

Quality Assurance Analyst

ultimatehosting

Member

crazyaboutlinux

Well-Known Member