One of my user on Dedicated server/WHM/Cpanel look like compromised.
There is always a strange file in /tmp (it is a phpshell) and i can not find, how the attacker upload this files.
I got a reporting log from maldet
How to know, from where this file uploaded ?
Regards.
There is always a strange file in /tmp (it is a phpshell) and i can not find, how the attacker upload this files.
I got a reporting log from maldet
Code:
malware detect scan report for elite.myserver.com:
SCAN ID: 051115-0408.2127
TIME: May 11 04:08:05 -0500
PATH: /var/www/html
RANGE: 2 days
TOTAL FILES: 145
TOTAL HITS: 1
TOTAL CLEANED: 0
FILE HIT LIST:
{HEX}php.cmdshell.unclassed.357 : /tmp/php3Wgm29 => /usr/local/maldetect/quarantine/php3Wgm29.17334
malware detect scan report for elite.myserver.com:
SCAN ID: 051115-0408.2188
TIME: May 11 04:08:05 -0500
PATH: /usr/local/apache/htdocs
RANGE: 2 days
TOTAL FILES: 145
TOTAL HITS: 1
TOTAL CLEANED: 0
FILE HIT LIST:
{HEX}php.cmdshell.unclassed.357 : /tmp/php3Wgm29 => /usr/local/maldetect/quarantine/php3Wgm29.9558
Regards.