The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Possible root compromise detected, failed to create /dev/null:

Discussion in 'Security' started by digitalmahdi, Nov 29, 2012.

  1. digitalmahdi

    digitalmahdi Member

    Joined:
    Jan 31, 2009
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello There
    I just received an email from my cpanel said :

    Attempts to create new directories or files whose filenames begin with numbers have failed.
    This is indicative of a root compromise of the server.

    The exact error encountered was:

    Failed to create directory /dev/null: No such file or directory


    how can i track it??
    tQ
     
  2. Aldweb

    Aldweb Well-Known Member

    Joined:
    Feb 18, 2004
    Messages:
    66
    Likes Received:
    0
    Trophy Points:
    6
    Re: [hackcheck] Possible root compromise detected, failed to create /dev/nu

    I received this email also
     
  3. JeffP.

    JeffP. Well-Known Member

    Joined:
    Sep 28, 2010
    Messages:
    164
    Likes Received:
    10
    Trophy Points:
    18
    Re: [hackcheck] Possible root compromise detected, failed to create /dev/nu

    Hi,

    Does /dev/null exist on your server, and are you able to create files or directories that begin with a number?

    There was a rootkit from a few years ago that could be easily found, as it had the effect of not allowing files and directories that started with a number to be created. It sounds like the issue with your servers is more likely that there is an issue with /dev/null .
     
  4. clinch

    clinch Member

    Joined:
    Mar 4, 2005
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    Re: [hackcheck] Possible root compromise detected, failed to create /dev/nu

    I just received this exact error as well. /dev/null exists.

    # ls -l /dev/null
    crw-rw-rw- 1 root root 1, 3 Aug 28 2012 /dev/null


    And I'm able to create directories that begin with numbers (and contain only numbers as well).

    Any more suggestions as to what would be causing this?
     
  5. rajinnasik

    rajinnasik Member

    Joined:
    Nov 14, 2007
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    I am having the same issue. Please advice.
     
  6. Aldweb

    Aldweb Well-Known Member

    Joined:
    Feb 18, 2004
    Messages:
    66
    Likes Received:
    0
    Trophy Points:
    6
    I am having the same issue.

    Attempts to create new directories or files whose filenames begin with numbers have failed.
    This is indicative of a root compromise of the server.

    The exact error encountered was:

    Failed to create directory /dev/null: No such file or directory

    But directory /dev/null exists.

    Please advice.

    Thanks
     
  7. cheapweb

    cheapweb Member

    Joined:
    Apr 24, 2003
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Montreal
    Try checking if your /tmp isn't full, not with df, but with touch /tmp/xxx.tmp

    In some cases, you may have 2GB left, but still can't create a file. It happens when you have Nginx Admin - cPanel nginx automated installer Plugin installed.

    In that case, do the quick and dirty fix :

    #- Delete some files from
    tmpwatch -c 48 /tmp/nginx_client

    #- Create your new destination
    mkdir /var/nginx_client
    chown nobody /var/nginx_client
    chmod 700 /var/nginx_client

    #- Move nginx_client
    mv /tmp/nginx_client /tmp/nginx_client-not
    ln -s /var/nginx_client /tmp/nginx_client
    service nginx restart

    #- Try accessing one of your sites

    #- You should see stuff in there now
    ls -al /var/nginx_client/

    #- Now, you can delete the rest of the file
    rm -rf /tmp/nginx_client-not

    hope this helps
     
  8. syndicated

    syndicated Member

    Joined:
    Jun 1, 2010
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Thanks is this the latest fix as it just happened to me today and this seems to fix it
     
  9. es2alna

    es2alna Well-Known Member

    Joined:
    Mar 30, 2014
    Messages:
    67
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Egypt
    cPanel Access Level:
    Root Administrator
    cheapweb fix can be done today as the nginx_client fill up the /tmp, you can add this cron to empty it:
    Code:
    0 */1 * * * /usr/sbin/tmpwatch -am 1 /tmp/nginx_client
     
Loading...

Share This Page