The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is my Server Compromised? - Bash Script loaded through PHP in TMP

Discussion in 'Security' started by crspyjohn, May 14, 2013.

  1. crspyjohn

    crspyjohn Registered

    Joined:
    Apr 5, 2006
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    I thought I secured TMP when I setup the server but I guess I forgot. Last night I received a notice from LFD about a suspicious file.

    lfd[949]: *Suspicious File* /tmp/php5aIKvW [auser1:auser1 (507:508)] - Script, starts with #!

    The site is running Glype Proxy, with suphp. When I checked the TMP folder the file was gone (assumed it was auto-cleared and the notice was 2-3 days ago). I deleted the entire tmp folder contents, deleted the site and reuploaded all the files, ran chkrootkit + rkhunter and everything appears alright.

    What else should I do to check if my server has been compromised?
     
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
  3. Veeble-Adam

    Veeble-Adam Active Member

    Joined:
    May 7, 2013
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    You may do the following:

    1. Use a scanner and make sure no malicious files are present.
    2. Check the /etc/passwd file and confirm that there are no suspicious users - many scripts do this.
    3. Change the root password and reboot the server.

    This should help.
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    It's more than likely just the one user with an issue; they likely have an insecure php script. /tmp is world writable (and should be), so its unlikely your server is rooted if that's the only bad file you found. As recommended, use maldet (linux malware detect) to scan that users public_html content.

    Also, if you're on centos6, disable compiler access in WHM until a new kernel comes out.
     
Loading...

Share This Page