Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

[hackcheck] Possible root compromise detected

Discussion in 'Security' started by alekid, Jul 24, 2011.

  1. alekid

    alekid Registered

    Joined:
    Jun 18, 2011
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    51
    I am getting the following mail:


    Attempts to create new directories or files whose filenames begin with numbers have failed.
    This is indicative of a root compromise of the server.

    The exact error encountered was:

    Failed to create directory /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb: File exists

    that can ahcer about it?
     
    #1 alekid, Jul 24, 2011
  2. whwrobert

    whwrobert Active Member

    Joined:
    Aug 21, 2009
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    51
    Location:
    USA
    Check if /tmp is in readonly mode, if it is is in readonly mode it will not create files there also your mysql may also go down.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 whwrobert, Jul 25, 2011
  3. gvard

    gvard Well-Known Member
    PartnerNOC

    Joined:
    Dec 22, 2003
    Messages:
    197
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    Athens/GREECE
    cPanel Access Level:
    DataCenter Provider
    Hello,

    Try typing
    Code:
    mkdir /tmp/1
    and let us know of the results. If you cannot create this directory (and of course it doesn't exist already), then there might be a 'suckit' rootkit situation.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 gvard, Jul 26, 2011
  4. alekid

    alekid Registered

    Joined:
    Jun 18, 2011
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    51
    I can write. the folder was created successfully
     
    #4 alekid, Jul 26, 2011
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,352
    Likes Received:
    402
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I'm curious about that file, doesn't seem normal to me and has a funny smell [;)], can you delete it?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #5 Infopro, Jul 26, 2011
  6. whwrobert

    whwrobert Active Member

    Joined:
    Aug 21, 2009
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    51
    Location:
    USA
    When are you getting this mail, is it cpanel sending this mail ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #6 whwrobert, Jul 26, 2011
  7. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,344
    Likes Received:
    58
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Delete it? If it were me I'd look at the contents first. That could very well give an indication whether or not it is malicious.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #7 mtindor, Jul 26, 2011
  8. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,608
    Likes Received:
    32
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    I also wouldn't suggest deleting it, check permissions and cat the file:

    Code:
    ls -lah /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb
lsattr /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb
cat /tmp/cpanel.TMP.work.UMbHdPgEhOq7vppb
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #8 cPanelTristan, Jul 26, 2011
  9. ultimatehosting

    ultimatehosting Member

    Joined:
    Jul 30, 2011
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    51
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Looks like your /usr/tmpDSK is corrupted. You should stop all processes that have files open on /tmp such as MySQL and other applications using:

    /usr/sbin/lsof /tmp

    Run the following commands (in that order):

    /bin/umount -l /tmp
    /bin/umount -l /var/tmp
    /bin/rm -fv /usr/tmpDSK

    /scripts/securetmp

    This should create a new /tmp partition for you, restart apache and mysql and you won't face the same issue again.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #9 ultimatehosting, Jul 30, 2011
  10. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    941
    Likes Received:
    0
    Trophy Points:
    66
    Thank you All
     
    #10 crazyaboutlinux, Jul 9, 2012
(You must log in or sign up to post here.)
Loading...
Similar Threads - [hackcheck] Possible root
  1. albatroz

    Is it possible for a rogue code to insert a cron job?

    albatroz, Aug 28, 2018, in forum: Security
    Replies:
    2
    Views:
    95
    cPanelLauren
    Aug 29, 2018
  2. Kent Brockman

    How can I rename package names in the safest possible way?

    Kent Brockman, Jul 24, 2018, in forum: General Discussion
    Replies:
    1
    Views:
    96
    cPanelLauren
    Jul 25, 2018
  3. sebosiris

    SOLVED PHP FPM - impossible to validate new configuration

    sebosiris, Jun 5, 2018, in forum: EasyApache
    Replies:
    6
    Views:
    211
    cPanelMichael
    Jun 8, 2018
  4. David_spm

    Possible to install CSF via WHM GUI?

    David_spm, May 29, 2018, in forum: Security
    Replies:
    2
    Views:
    166
    David_spm
    May 30, 2018
  5. Rogeriogr1

    Is it possible to install cPanel 68?

    Rogeriogr1, May 16, 2018, in forum: General Discussion
    Replies:
    3
    Views:
    121
    cPanelLauren
    May 17, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice