Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

malcious files in /tmp

Discussion in 'General Discussion' started by thekonqueror, Jun 19, 2006.

  1. thekonqueror

    thekonqueror Member

    Joined:
    Aug 6, 2005
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    151
    I often see files in /tmp with name similar to:

    20060609-100932-82.107.0.12-request_body-vnF0dR
    20060610-053635-81.200.20.51-request_body-TKCst1
    20060611-192526-200.204.117.234-request_body-dT3rfC
    20060612-130912-64.179.175.210-request_body-BU13ey
    20060613-103307-152.163.101.12-request_body-ybI60S
    20060616-060720-202.56.207.98-request_body-DpBFtG
    20060619-202527-202.67.113.212-request_body-54RVAM
    20060619-203406-200.4.169.6-request_body-6qA7sC

    Sometimes, these files are uploaded more than once a day in /tmp. Im sure these files are used for spamming, but couldn't find who uploads these files. xferlog don't give any clues.

    /tmp is secured as per eth0.us. Any way to track used who upload these files?
     
    #1 thekonqueror, Jun 19, 2006
    Last edited: Jun 19, 2006
  2. bhd

    bhd Well-Known Member

    Joined:
    Sep 20, 2003
    Messages:
    149
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    JNB ZA
    cPanel Access Level:
    Root Administrator
    If you have Suexec installed, you will be able to see which user and group owns the files by doing a ls -alh
     
  3. WebScHoLaR

    WebScHoLaR Well-Known Member

    Joined:
    Dec 14, 2005
    Messages:
    511
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    Planet Earth
    You can check /var/log/messages for ftp logs and also cPanel logs at /usr/local/cpanel/logs/access_log
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. XPerties

    XPerties Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    401
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    New Jersey, USA
    I wanted to say this is not true above written by bhd. I have had this issue for weeks on many servers all which run Suexec. I have a brand new server which I just transfered clients over to and I see these files already in the tmp/ dir. This tells me it's an account that has been infected.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. jsnape

    jsnape Well-Known Member

    Joined:
    Mar 11, 2002
    Messages:
    174
    Likes Received:
    0
    Trophy Points:
    316
    I beleive that is comment spam. I found out by running all POST calls through a virus checker using mod_security and it always linked up with one of the wordpress-like comment forms..
     
  6. jack01

    jack01 Well-Known Member

    Joined:
    Jul 21, 2004
    Messages:
    200
    Likes Received:
    0
    Trophy Points:
    166
    Update...

    I believe these files are generated by the file manager in cpanel.

    Can anyone from cpanel confirm this?
     
  7. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    655
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Canada
    I believe these are due to mod_evasive being installed.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice