Is my Server Compromised? - Bash Script loaded through PHP in TMP

[crspyjohn]

I thought I secured TMP when I setup the server but I guess I forgot. Last night I received a notice from LFD about a suspicious file.

lfd[949]: *Suspicious File* /tmp/php5aIKvW [auser1:auser1 (507:508)] - Script, starts with #!

The site is running Glype Proxy, with suphp. When I checked the TMP folder the file was gone (assumed it was auto-cleared and the notice was 2-3 days ago). I deleted the entire tmp folder contents, deleted the site and reuploaded all the files, ran chkrootkit + rkhunter and everything appears alright.

What else should I do to check if my server has been compromised?

 

[24x7server]

Install LMD(Linux Malware Detect) Linux Malware Detect | R-fx Networks on your server and scan your account through this scanner

 

[Veeble-Adam]

You may do the following:

1. Use a scanner and make sure no malicious files are present.
2. Check the /etc/passwd file and confirm that there are no suspicious users - many scripts do this.
3. Change the root password and reboot the server.

This should help.

 

[quizknows]

It's more than likely just the one user with an issue; they likely have an insecure php script. /tmp is world writable (and should be), so its unlikely your server is rooted if that's the only bad file you found. As recommended, use maldet (linux malware detect) to scan that users public_html content.

Also, if you're on centos6, disable compiler access in WHM until a new kernel comes out.