Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Malware tmp folder

Discussion in 'Security' started by DjordjeB, Dec 21, 2017.

Tags:
  1. DjordjeB

    DjordjeB Well-Known Member

    Joined:
    Nov 24, 2014
    Messages:
    58
    Likes Received:
    6
    Trophy Points:
    8
    Location:
    Macedonia
    cPanel Access Level:
    Root Administrator
    I get this from maldet one in month. Any one now what is this? If is dangerous how to prevent?
    I have last cPanel (no 3rd party software) and last kernel so system is updated.

    FILE HIT LIST:
    {HEX}php.malware.fopo.538 : /tmp/systemd-private-11cbc4cb89194d10b68f70c00007011e-ea-php56-php-fpm.service-St7D8B/tmp/phpYRhpBm => /usr/local/maldetect/quarantine/phpYRhpBm.706132374
     
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,675
    Likes Received:
    73
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    Check which user has uploaded this file. The user data may be infected causing this to occur..

    # ls -l /tmp/systemd-private-11cbc4cb89194d10b68f70c00007011e-ea-php56-php-fpm.service-St7D8B/tmp/phpYRhpBm
    OR
    check the maldet session logs to check when it was quarantined and what process recalled it..
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,516
    Likes Received:
    1,616
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Let us know if the previous post helps. Note that Maldet is a third-party application, so you may want to reach out to a system administrator for additional assistance if you don't receive additional user-feedback on this thread:

    System Administration Services | cPanel Forums

    Thank you.
     
  4. DjordjeB

    DjordjeB Well-Known Member

    Joined:
    Nov 24, 2014
    Messages:
    58
    Likes Received:
    6
    Trophy Points:
    8
    Location:
    Macedonia
    cPanel Access Level:
    Root Administrator
    Hello, thank you for answer. Session log show only what is in report i check it with "maldet -l".
    That folder don't exist because i have enabled quarantine so message is: No such file or directory.
    Any other suggestions?
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,516
    Likes Received:
    1,616
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Does the file exist in the /usr/local/maldetect/quarantine directory? If so, you could view the file to verify it's contents to see if it's legitimate. Note, if it's detecting "/usr/lib/systemd/system/ea-php56-php-fpm.service", here's how the contents of that file should look:

    Code:
    # cat /usr/lib/systemd/system/ea-php56-php-fpm.service
    [Unit]
    Description=The PHP FastCGI Process Manager
    After=syslog.target network.target network-online.target
    
    [Service]
    Type=notify
    PIDFile=/opt/cpanel/ea-php56/root/usr/var/run/php-fpm/php-fpm.pid
    EnvironmentFile=/opt/cpanel/ea-php56/root/etc/sysconfig/php-fpm
    ExecStart=/opt/cpanel/ea-php56/root/usr/sbin/php-fpm --nodaemonize
    ExecReload=/bin/kill -USR2 $MAINPID
    PrivateTmp=true
    
    [Install]
    WantedBy=multi-user.target
    Thank you.
     
  6. DjordjeB

    DjordjeB Well-Known Member

    Joined:
    Nov 24, 2014
    Messages:
    58
    Likes Received:
    6
    Trophy Points:
    8
    Location:
    Macedonia
    cPanel Access Level:
    Root Administrator
    Actually no, in quarantine there is no file/folders like that. I will check next time (because it happens couple times in month) directly in quarantine and update this threads.
     
Loading...

Share This Page