[hackcheck] Possible root compromise detected

[alekid]

I am getting the following mail:


Attempts to create new directories or files whose filenames begin with numbers have failed.
This is indicative of a root compromise of the server.

The exact error encountered was:

Failed to create directory /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb: File exists

that can ahcer about it?

 

[whwrobert]

Check if /tmp is in readonly mode, if it is is in readonly mode it will not create files there also your mysql may also go down.

 

[gvard]

Hello,

Try typing

mkdir /tmp/1

and let us know of the results. If you cannot create this directory (and of course it doesn't exist already), then there might be a 'suckit' rootkit situation.

 

[alekid]

I can write. the folder was created successfully

 

[Infopro]

Failed to create directory /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb: File exists

I'm curious about that file, doesn't seem normal to me and has a funny smell [], can you delete it?

 

[whwrobert]

I am getting the following mail:


Attempts to create new directories or files whose filenames begin with numbers have failed.
This is indicative of a root compromise of the server.

The exact error encountered was:

Failed to create directory /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb: File exists

that can ahcer about it?

When are you getting this mail, is it cpanel sending this mail ?

 

[mtindor]

Delete it? If it were me I'd look at the contents first. That could very well give an indication whether or not it is malicious.

 

[cPanelTristan]

I also wouldn't suggest deleting it, check permissions and cat the file:

ls -lah /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb
lsattr /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb
cat /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb

 

[ultimatehosting]

Looks like your /usr/tmpDSK is corrupted. You should stop all processes that have files open on /tmp such as MySQL and other applications using:

/usr/sbin/lsof /tmp

Run the following commands (in that order):

/bin/umount -l /tmp
/bin/umount -l /var/tmp
/bin/rm -fv /usr/tmpDSK

/scripts/securetmp

This should create a new /tmp partition for you, restart apache and mysql and you won't face the same issue again.

 

[crazyaboutlinux]

Thank you All