The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Random file on server

Discussion in 'Security' started by czerdrill, Dec 5, 2011.

  1. czerdrill

    czerdrill Well-Known Member

    Joined:
    Feb 18, 2011
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    Saw a random file on the server with a bunch of numbers as its extension, and the contents of the file seem to be some sort of log created by a script.

    Contains things like restart_syscall etc. Is this just an autogen file?
     
  2. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Athens Greece
    which is the name of the file?
     
  3. czerdrill

    czerdrill Well-Known Member

    Joined:
    Feb 18, 2011
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    it's called whyo.12528502571
     
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    What are some of the actual contents of the file? That is definitely not a normally named file.
     
  5. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    and where is (was) it located in the server?
     
  6. czerdrill

    czerdrill Well-Known Member

    Joined:
    Feb 18, 2011
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    Code:
    restart_syscall(<... resuming interrupted call ...>) = 0
    fcntl64(3, F_SETFL, O_RDWR)             = 0
    gettimeofday({1322086021, 860448}, NULL) = 0
    close(3)                                = 0
    open("error_log", O_WRONLY|O_CREAT|O_APPEND, 0644) = 3
    time(NULL)                              = 1322086021
    time(NULL)                              = 1322086021
    write(3, "[23-Nov-2011 16:07:01] PHP Warni"..., 280) = 280
    close(3)                                = 0
    write(1, "<br />\n<b>Warning</b>:  include("..., 287) = 287
    it was located in the public_html folder. Nothing seems strange on the site itself, and the file was created a few weeks ago, but just noticed it today.
     
  7. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    It appears to be an strace of something. Here's an example of an strace file on my system:

    Code:
    14139 socket(PF_FILE, SOCK_STREAM, 0)   = 5
    14139 fcntl(5, F_SETFL, O_RDWR|O_NONBLOCK) = 0
    14139 connect(5, {sa_family=AF_FILE, path="/var/run/nscd/socket"...}, 110) = -1 ENOENT (No such file or directory)
    14139 close(5)                          = 0
    14139 socket(PF_FILE, SOCK_STREAM, 0)   = 5
    14139 fcntl(5, F_SETFL, O_RDWR|O_NONBLOCK) = 0
    14139 connect(5, {sa_family=AF_FILE, path="/var/run/nscd/socket"...}, 110) = -1 ENOENT (No such file or directory)
    These strace files can be called anything, but it would be weird if a user without root or SSH access of some sort was able to create an strace on their account. Was that account being investigated for some issue recently, or does the user have SSH access?
     
  8. czerdrill

    czerdrill Well-Known Member

    Joined:
    Feb 18, 2011
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    Yes the user has SSH access. When I examined the file, that's why I thought it was just some autogen or system generated file, as it didn't look malicious and looked more like a log or something. They run different scripts on their server, so I assumed it was some output from an interrupted script or something. Am I right in that assumption? It's a big file, but most of it looks like that and nothing appears bizarre in the contents, I just noticed it because it appeared there randomly.
     
  9. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    An strace file is used to trace the system calls to understand why a script or command is failing to work. It's a developer's tool and would not be used maliciously in any way. We have a presentation on using strace from our cPanel conference approximately 2 years ago if you'd like to learn more about strace:

    Advanced cPanel Troubleshooting with Strace | cPanel Video Site
     
  10. czerdrill

    czerdrill Well-Known Member

    Joined:
    Feb 18, 2011
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    Great thanks!
     
Loading...

Share This Page