Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Is my Server Compromised? - Bash Script loaded through PHP in TMP

Discussion in 'Security' started by crspyjohn, May 14, 2013.

  1. crspyjohn

    crspyjohn Registered

    Joined:
    Apr 5, 2006
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    151
    I thought I secured TMP when I setup the server but I guess I forgot. Last night I received a notice from LFD about a suspicious file.

    lfd[949]: *Suspicious File* /tmp/php5aIKvW [auser1:auser1 (507:508)] - Script, starts with #!

    The site is running Glype Proxy, with suphp. When I checked the TMP folder the file was gone (assumed it was auto-cleared and the notice was 2-3 days ago). I deleted the entire tmp folder contents, deleted the site and reuploaded all the files, ran chkrootkit + rkhunter and everything appears alright.

    What else should I do to check if my server has been compromised?
     
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,789
    Likes Received:
    83
    Trophy Points:
    78
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Veeble-Adam

    Veeble-Adam Active Member

    Joined:
    May 7, 2013
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    You may do the following:

    1. Use a scanner and make sure no malicious files are present.
    2. Check the /etc/passwd file and confirm that there are no suspicious users - many scripts do this.
    3. Change the root password and reboot the server.

    This should help.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,010
    Likes Received:
    87
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    It's more than likely just the one user with an issue; they likely have an insecure php script. /tmp is world writable (and should be), so its unlikely your server is rooted if that's the only bad file you found. As recommended, use maldet (linux malware detect) to scan that users public_html content.

    Also, if you're on centos6, disable compiler access in WHM until a new kernel comes out.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice