Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[hackcheck] Possible root compromise detected

Discussion in 'Security' started by alekid, Jul 24, 2011.

  1. alekid

    alekid Registered

    Joined:
    Jun 18, 2011
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    51
    I am getting the following mail:


    Attempts to create new directories or files whose filenames begin with numbers have failed.
    This is indicative of a root compromise of the server.

    The exact error encountered was:

    Failed to create directory /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb: File exists

    that can ahcer about it?
     
    #1 alekid, Jul 24, 2011
  2. whwrobert

    whwrobert Active Member

    Joined:
    Aug 21, 2009
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    51
    Location:
    USA
    Check if /tmp is in readonly mode, if it is is in readonly mode it will not create files there also your mysql may also go down.
     
    #2 whwrobert, Jul 25, 2011
  3. gvard

    gvard Well-Known Member
    PartnerNOC

    Joined:
    Dec 22, 2003
    Messages:
    196
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    Athens/GREECE
    cPanel Access Level:
    DataCenter Provider
    Hello,

    Try typing
    Code:
    mkdir /tmp/1
    and let us know of the results. If you cannot create this directory (and of course it doesn't exist already), then there might be a 'suckit' rootkit situation.
     
    #3 gvard, Jul 26, 2011
  4. alekid

    alekid Registered

    Joined:
    Jun 18, 2011
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    51
    I can write. the folder was created successfully
     
    #4 alekid, Jul 26, 2011
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,076
    Likes Received:
    350
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I'm curious about that file, doesn't seem normal to me and has a funny smell [;)], can you delete it?
     
    #5 Infopro, Jul 26, 2011
  6. whwrobert

    whwrobert Active Member

    Joined:
    Aug 21, 2009
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    51
    Location:
    USA
    When are you getting this mail, is it cpanel sending this mail ?
     
    #6 whwrobert, Jul 26, 2011
  7. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,326
    Likes Received:
    50
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Delete it? If it were me I'd look at the contents first. That could very well give an indication whether or not it is malicious.
     
    #7 mtindor, Jul 26, 2011
  8. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,609
    Likes Received:
    31
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    I also wouldn't suggest deleting it, check permissions and cat the file:

    Code:
    ls -lah /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb
lsattr /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb
cat /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb
     
    #8 cPanelTristan, Jul 26, 2011
  9. ultimatehosting

    ultimatehosting Member

    Joined:
    Jul 30, 2011
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    51
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Looks like your /usr/tmpDSK is corrupted. You should stop all processes that have files open on /tmp such as MySQL and other applications using:

    /usr/sbin/lsof /tmp

    Run the following commands (in that order):

    /bin/umount -l /tmp
    /bin/umount -l /var/tmp
    /bin/rm -fv /usr/tmpDSK

    /scripts/securetmp

    This should create a new /tmp partition for you, restart apache and mysql and you won't face the same issue again.
     
    #9 ultimatehosting, Jul 30, 2011
  10. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    941
    Likes Received:
    0
    Trophy Points:
    66
    Thank you All
     
    #10 crazyaboutlinux, Jul 9, 2012
(You must log in or sign up to post here.)
Loading...
Similar Threads - [hackcheck] Possible root
  1. sushlik

    Wildcard SSL via AutoSSL possible?

    sushlik, Feb 10, 2018, in forum: Security
    Replies:
    1
    Views:
    420
    cPanelMichael
    Feb 14, 2018
  2. Trane Francks

    WHM 56.0.52 to 68.0.28 - EA3 to EA4 directly possible

    Trane Francks, Feb 3, 2018, in forum: EasyApache
    Replies:
    2
    Views:
    168
    cPanelMichael
    Feb 13, 2018
  3. electric

    Possible to disable AutoSSL notifications to account owner?

    electric, Jan 11, 2018, in forum: Security
    Replies:
    1
    Views:
    328
    Infopro
    Jan 11, 2018
  4. Mohamed Hamza

    Is it possible to run make apache listen on loopback 127.0.0.1?

    Mohamed Hamza, Nov 25, 2017, in forum: Workarounds and Optimization
    Replies:
    3
    Views:
    290
    cPanelMichael
    Nov 28, 2017
  5. Sametto Chan

    Possible cPanel self eats CPU to RAM?

    Sametto Chan, Nov 18, 2017, in forum: General Discussion
    Replies:
    4
    Views:
    195
    Sametto Chan
    Nov 20, 2017

Share This Page