The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

malcious files in /tmp

Discussion in 'General Discussion' started by thekonqueror, Jun 19, 2006.

  1. thekonqueror

    thekonqueror Member

    Joined:
    Aug 6, 2005
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    I often see files in /tmp with name similar to:

    20060609-100932-82.107.0.12-request_body-vnF0dR
    20060610-053635-81.200.20.51-request_body-TKCst1
    20060611-192526-200.204.117.234-request_body-dT3rfC
    20060612-130912-64.179.175.210-request_body-BU13ey
    20060613-103307-152.163.101.12-request_body-ybI60S
    20060616-060720-202.56.207.98-request_body-DpBFtG
    20060619-202527-202.67.113.212-request_body-54RVAM
    20060619-203406-200.4.169.6-request_body-6qA7sC

    Sometimes, these files are uploaded more than once a day in /tmp. Im sure these files are used for spamming, but couldn't find who uploads these files. xferlog don't give any clues.

    /tmp is secured as per eth0.us. Any way to track used who upload these files?
     
    #1 thekonqueror, Jun 19, 2006
    Last edited: Jun 19, 2006
  2. bhd

    bhd Well-Known Member

    Joined:
    Sep 20, 2003
    Messages:
    149
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    JNB ZA
    cPanel Access Level:
    Root Administrator
    If you have Suexec installed, you will be able to see which user and group owns the files by doing a ls -alh
     
  3. WebScHoLaR

    WebScHoLaR Well-Known Member

    Joined:
    Dec 14, 2005
    Messages:
    511
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Planet Earth
    You can check /var/log/messages for ftp logs and also cPanel logs at /usr/local/cpanel/logs/access_log
     
  4. XPerties

    XPerties Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    401
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    I wanted to say this is not true above written by bhd. I have had this issue for weeks on many servers all which run Suexec. I have a brand new server which I just transfered clients over to and I see these files already in the tmp/ dir. This tells me it's an account that has been infected.
     
  5. jsnape

    jsnape Well-Known Member

    Joined:
    Mar 11, 2002
    Messages:
    174
    Likes Received:
    0
    Trophy Points:
    16
    I beleive that is comment spam. I found out by running all POST calls through a virus checker using mod_security and it always linked up with one of the wordpress-like comment forms..
     
  6. jack01

    jack01 Well-Known Member

    Joined:
    Jul 21, 2004
    Messages:
    200
    Likes Received:
    0
    Trophy Points:
    16
    Update...

    I believe these files are generated by the file manager in cpanel.

    Can anyone from cpanel confirm this?
     
  7. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    I believe these are due to mod_evasive being installed.
     
Loading...

Share This Page