Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Lot of phpshell files at /tmp folder

Discussion in 'General Discussion' started by bsasninja, Aug 21, 2006.

  1. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    527
    Likes Received:
    0
    Trophy Points:
    166
    I found everyday a lot of phpshell files at /tmp folder, all of these files are 0 bytes.
    And the look like this:

    phpshellxjduw
    phpshellciaui
    phpshelleipzf

    etc etc, I did a grep "phpshell" in the domlogs directory but I didnt find anything there. Anyone has this issue?

    Thank you
     
  2. websupport

    websupport Well-Known Member

    Joined:
    Jun 24, 2006
    Messages:
    92
    Likes Received:
    0
    Trophy Points:
    156
    Need to secure /tmp

    Hello,

    PhpShell tries to give you a shell wrapped in a PHP script. It's a tool you
    can use to execute commands on your remote webserver, even if you
    don't have normal telnet or SSH access.

    So delete the phpshell files from /tmp folder and secure your /tmp folder

    Add the following to your php.ini file
    disable_functions = system, exec, shell_exec, passthru

    Warning: This may break other scripts on your server, but is a greatly increases the security on your server.

    :)
     
  3. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    527
    Likes Received:
    0
    Trophy Points:
    166
    yes

    I already have /tmp folder secure and a lot of disable functions at php.ini. Anyways this files appear at tmp folder, they are not executable, all have chmod 0644 and they seem to be truncated cause they are 0 byte.

    Thanks
     
  4. carluk

    carluk Well-Known Member

    Joined:
    Sep 2, 2003
    Messages:
    162
    Likes Received:
    0
    Trophy Points:
    166
    Does the following bring up anything?

    Code:
    grep phpshell /etc/httpd/logs/access_log
    
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. jay1228

    jay1228 Member

    Joined:
    Apr 15, 2005
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    151
    Thank you for the tip, looks like this is working. I just added the line all the way at the end in php.ini file, that should do it correct?
     
  6. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    You should check /var/tmp and /dev/shm also if you ever see shell files in /tmp...
     
  7. tweakservers

    tweakservers Well-Known Member

    Joined:
    Mar 30, 2006
    Messages:
    379
    Likes Received:
    0
    Trophy Points:
    166
    also check if there's any suspicious process running at the background since the files has been uploaded for few days back.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice