The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to find what site is vulnerable

Discussion in 'Security' started by yamaharr1, Jun 29, 2010.

  1. yamaharr1

    yamaharr1 Well-Known Member

    Joined:
    Jun 22, 2007
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    6
    I have some exploit scripts that keep getting into tmp the most likely reason is an insecure website on the server and I would like to know if there is a way to find out which one?

    cPanel 11.25.0-C46156 - WHM 11.25.0 - X 3.9
    CENTOS 5.5 i686

    I am not running suPHP but will be converting over very soon.

    I have tried grep but it hasn't returned anything

    grep -i scan.txt /usr/local/apache/domlogs/*

    some of the files I am finding are

    scan.txt
    -O

    Thank you for any help anyone can offer.
     
  2. yamaharr1

    yamaharr1 Well-Known Member

    Joined:
    Jun 22, 2007
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    6
    Did I post this in the wrong section?
     
  3. ggooden

    ggooden Member

    Joined:
    Dec 9, 2002
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Pasadena, California, United States
    cPanel Access Level:
    Root Administrator
    Did you ever get an answer? I've been seeing the same thing and having the same problem. :)
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,453
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Securing tmp and moving over to SuPHP is one sure fire way to find out whats going on, quick. Your logs will help a great deal then I would think.

    You might like to see this link if you haven't by now:
    http://www.configserver.com/cp/cxs.html
     
    #4 Infopro, Jul 2, 2010
    Last edited: Jul 2, 2010
  5. WiredTree Joe

    WiredTree Joe Well-Known Member
    PartnerNOC

    Joined:
    Dec 13, 2006
    Messages:
    68
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Chicago, IL
    What is the owner/group on the files found in /tmp? If it is 'nobody' then switching to SuPHP (if the file is in fact being uploaded via PHP) will most likely help track that down to what user is putting that file in /tmp as Infopro already stated. If it has the ownership of a cpanel user, and you are running PHP via DSO and not SuPHP, that most likely means it got there through some other method.
     
Loading...

Share This Page