The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[hackcheck] Possible root compromise detected

Discussion in 'Security' started by alekid, Jul 24, 2011.

  1. alekid

    alekid Registered

    Joined:
    Jun 18, 2011
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    51
    I am getting the following mail:


    Attempts to create new directories or files whose filenames begin with numbers have failed.
    This is indicative of a root compromise of the server.

    The exact error encountered was:

    Failed to create directory /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb: File exists

    that can ahcer about it?
     
    #1 alekid, Jul 24, 2011
  2. whwrobert

    whwrobert Active Member

    Joined:
    Aug 21, 2009
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    51
    Location:
    USA
    Check if /tmp is in readonly mode, if it is is in readonly mode it will not create files there also your mysql may also go down.
     
    #2 whwrobert, Jul 25, 2011
  3. gvard

    gvard Well-Known Member
    PartnerNOC

    Joined:
    Dec 22, 2003
    Messages:
    195
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    Athens/GREECE
    cPanel Access Level:
    DataCenter Provider
    Hello,

    Try typing
    Code:
    mkdir /tmp/1
    and let us know of the results. If you cannot create this directory (and of course it doesn't exist already), then there might be a 'suckit' rootkit situation.
     
    #3 gvard, Jul 26, 2011
  4. alekid

    alekid Registered

    Joined:
    Jun 18, 2011
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    51
    I can write. the folder was created successfully
     
    #4 alekid, Jul 26, 2011
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,546
    Likes Received:
    291
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I'm curious about that file, doesn't seem normal to me and has a funny smell [;)], can you delete it?
     
    #5 Infopro, Jul 26, 2011
  6. whwrobert

    whwrobert Active Member

    Joined:
    Aug 21, 2009
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    51
    Location:
    USA
    When are you getting this mail, is it cpanel sending this mail ?
     
    #6 whwrobert, Jul 26, 2011
  7. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,300
    Likes Received:
    42
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Delete it? If it were me I'd look at the contents first. That could very well give an indication whether or not it is malicious.
     
    #7 mtindor, Jul 26, 2011
  8. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,622
    Likes Received:
    24
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    I also wouldn't suggest deleting it, check permissions and cat the file:

    Code:
    ls -lah /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb
lsattr /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb
cat /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb
     
    #8 cPanelTristan, Jul 26, 2011
  9. ultimatehosting

    ultimatehosting Member

    Joined:
    Jul 30, 2011
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    51
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Looks like your /usr/tmpDSK is corrupted. You should stop all processes that have files open on /tmp such as MySQL and other applications using:

    /usr/sbin/lsof /tmp

    Run the following commands (in that order):

    /bin/umount -l /tmp
    /bin/umount -l /var/tmp
    /bin/rm -fv /usr/tmpDSK

    /scripts/securetmp

    This should create a new /tmp partition for you, restart apache and mysql and you won't face the same issue again.
     
    #9 ultimatehosting, Jul 30, 2011
  10. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    942
    Likes Received:
    0
    Trophy Points:
    66
    Thank you All
     
    #10 crazyaboutlinux, Jul 9, 2012
(You must log in or sign up to post here.)
Loading...
Similar Threads - [hackcheck] Possible root
  1. VMunich

    Is it possible to whitelist command/programs to be used by shell_exec?

    VMunich, Jul 3, 2017, in forum: Security
    Replies:
    4
    Views:
    78
    quizknows
    Jul 4, 2017
  2. Dave__W

    Global Wildcard Email Filter Possible?

    Dave__W, Jun 29, 2017, in forum: E-mail Discussions
    Replies:
    4
    Views:
    87
    Dave__W
    Jun 29, 2017
  3. Killy123

    Is it possible to add redirect to domain with cPanel API?

    Killy123, Jun 15, 2017, in forum: cPanel Developers
    Replies:
    4
    Views:
    122
    cPanelMichael
    Jul 20, 2017 at 10:21 AM
  4. Luca Sartori

    Use WHM as nameserver, risk and possible issue

    Luca Sartori, May 31, 2017, in forum: Bind / DNS / Nameserver Issues
    Replies:
    5
    Views:
    163
    cPanelMichael
    Jun 5, 2017
  5. Soeren E

    Possible to disable the mails boxtrapper sends?

    Soeren E, May 29, 2017, in forum: E-mail Discussions
    Replies:
    2
    Views:
    110
    cPanelMichael
    May 30, 2017

Share This Page