Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

[hackcheck] Possible root compromise detected

Discussion in 'Security' started by alekid, Jul 24, 2011.

  1. alekid

    alekid Registered

    Joined:
    Jun 18, 2011
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    51
    I am getting the following mail:


    Attempts to create new directories or files whose filenames begin with numbers have failed.
    This is indicative of a root compromise of the server.

    The exact error encountered was:

    Failed to create directory /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb: File exists

    that can ahcer about it?
     
  2. whwrobert

    whwrobert Active Member

    Joined:
    Aug 21, 2009
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    51
    Location:
    USA
    Check if /tmp is in readonly mode, if it is is in readonly mode it will not create files there also your mysql may also go down.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. gvard

    gvard Well-Known Member
    PartnerNOC

    Joined:
    Dec 22, 2003
    Messages:
    196
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Athens/GREECE
    cPanel Access Level:
    DataCenter Provider
    Hello,

    Try typing
    Code:
    mkdir /tmp/1
    
    and let us know of the results. If you cannot create this directory (and of course it doesn't exist already), then there might be a 'suckit' rootkit situation.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. alekid

    alekid Registered

    Joined:
    Jun 18, 2011
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    51
    I can write. the folder was created successfully
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,260
    Likes Received:
    390
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I'm curious about that file, doesn't seem normal to me and has a funny smell [;)], can you delete it?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. whwrobert

    whwrobert Active Member

    Joined:
    Aug 21, 2009
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    51
    Location:
    USA
    When are you getting this mail, is it cpanel sending this mail ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,342
    Likes Received:
    57
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Delete it? If it were me I'd look at the contents first. That could very well give an indication whether or not it is malicious.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,608
    Likes Received:
    32
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    I also wouldn't suggest deleting it, check permissions and cat the file:

    Code:
    ls -lah /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb
    lsattr /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb
    cat /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. ultimatehosting

    Joined:
    Jul 30, 2011
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    51
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Looks like your /usr/tmpDSK is corrupted. You should stop all processes that have files open on /tmp such as MySQL and other applications using:

    /usr/sbin/lsof /tmp

    Run the following commands (in that order):

    /bin/umount -l /tmp
    /bin/umount -l /var/tmp
    /bin/rm -fv /usr/tmpDSK

    /scripts/securetmp

    This should create a new /tmp partition for you, restart apache and mysql and you won't face the same issue again.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    941
    Likes Received:
    0
    Trophy Points:
    66
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice