The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Lot of phpshell files at /tmp folder

Discussion in 'General Discussion' started by bsasninja, Aug 21, 2006.

  1. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    528
    Likes Received:
    0
    Trophy Points:
    16
    I found everyday a lot of phpshell files at /tmp folder, all of these files are 0 bytes.
    And the look like this:

    phpshellxjduw
    phpshellciaui
    phpshelleipzf

    etc etc, I did a grep "phpshell" in the domlogs directory but I didnt find anything there. Anyone has this issue?

    Thank you
     
  2. websupport

    websupport Well-Known Member

    Joined:
    Jun 24, 2006
    Messages:
    92
    Likes Received:
    0
    Trophy Points:
    6
    Need to secure /tmp

    Hello,

    PhpShell tries to give you a shell wrapped in a PHP script. It's a tool you
    can use to execute commands on your remote webserver, even if you
    don't have normal telnet or SSH access.

    So delete the phpshell files from /tmp folder and secure your /tmp folder

    Add the following to your php.ini file
    disable_functions = system, exec, shell_exec, passthru

    Warning: This may break other scripts on your server, but is a greatly increases the security on your server.

    :)
     
  3. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    528
    Likes Received:
    0
    Trophy Points:
    16
    yes

    I already have /tmp folder secure and a lot of disable functions at php.ini. Anyways this files appear at tmp folder, they are not executable, all have chmod 0644 and they seem to be truncated cause they are 0 byte.

    Thanks
     
  4. carluk

    carluk Well-Known Member

    Joined:
    Sep 2, 2003
    Messages:
    162
    Likes Received:
    0
    Trophy Points:
    16
    Does the following bring up anything?

    Code:
    grep phpshell /etc/httpd/logs/access_log
    
     
  5. jay1228

    jay1228 Member

    Joined:
    Apr 15, 2005
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    Thank you for the tip, looks like this is working. I just added the line all the way at the end in php.ini file, that should do it correct?
     
  6. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    You should check /var/tmp and /dev/shm also if you ever see shell files in /tmp...
     
  7. tweakservers

    tweakservers Well-Known Member

    Joined:
    Mar 30, 2006
    Messages:
    379
    Likes Received:
    0
    Trophy Points:
    16
    also check if there's any suspicious process running at the background since the files has been uploaded for few days back.
     
Loading...

Share This Page