The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Question about a file in /tmp

Discussion in 'General Discussion' started by FourMat, Nov 27, 2007.

  1. FourMat

    FourMat Active Member

    Joined:
    Jun 10, 2004
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    Hi Guys,

    I've been monitoring the contents of the /tpm directory for any signs of illicit activity and I've noticed that there is a file that's always there called ips1.txt.

    -rw-r--r-- 1 nobody nobody 198 Nov 24 15:32 ips1.txt

    It contains the ip addresses registered to the server. I was wondering if someone might be able to tell me if this is a cPanel function that puts it there or if it is something I need to be worried about.

    Thanks.
     
  2. Amit Deshmukh

    Amit Deshmukh Well-Known Member

    Joined:
    Jul 1, 2007
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Hi

    Try Changing :-

    #!/usr/bin/perl

    print "content-type:text/html\n\n";

    open(OUTF,">>/home/username/public_html/ips1.txt") or dienice("Couldn't open http://kb2.net/ips.txt for writing: $!");
    print OUTF "$ENV{'REMOTE_ADDR'}";
    close(OUTF);

    ============================

    !/usr/bin/perl

    print "content-type:text/html\n\n";

    open(INF,"/home/username/public_html/ips1.txt");
    while(<INF>) {
    print;
    }
    close(INF);

    ===============================

    This should work.....
    Regards,
    Amit
     
  3. technix

    technix Member

    Joined:
    Oct 22, 2007
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Hello Amit,

    Can you please more discriptive about this script ?

    Thank you.
     
  4. FourMat

    FourMat Active Member

    Joined:
    Jun 10, 2004
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    I appreciate the response, but I'm not sure I understand what that script is supposed to do, what filename it is or where to find it. Or what the ips1.txt file is supposed to be or do.
     
  5. ttremain

    ttremain Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16

    Why should they want to do this, if the file shouldn't even be in /tmp in the first place?
     
  6. FourMat

    FourMat Active Member

    Joined:
    Jun 10, 2004
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    I guess that is what I am trying to determine, should it be in /tmp at all? Is this a file used by cPanel? or some other standard program. Has anyone else seen it there or is it a file from an unidentified rogue script.

    If there any way to back trace to see what created the file?
     
    #6 FourMat, Dec 3, 2007
    Last edited: Dec 3, 2007
  7. ttremain

    ttremain Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    It should not be there.
     
  8. FourMat

    FourMat Active Member

    Joined:
    Jun 10, 2004
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    You're right. I did a

    chmod 0 ips.txt

    then waited what happened on the folder for a few days. A file called prende.txt showed up today with a bunch of scripting that pointed back to a quake game server. It contained the code to create the ips.txt file. I quickly chmod 0 prende.txt and did a net stat and an lsof for the httpd processes that were taking all of the resources and had been active for the longest time.

    Then through a search for other information on this forum I ran across the mod_security configuration file provided by HostMerit and implemented that after:

    kill-9 perl; kill-9 httpd

    Then restarted apache. I'm now waiting to see if the mod_security rules implemented here will prevent the exploits
     
Loading...

Share This Page