The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

shtool in /tmp Normal??

Discussion in 'General Discussion' started by GrAfiX, Jul 20, 2005.

  1. GrAfiX

    GrAfiX Member

    Joined:
    Oct 20, 2002
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    0
    I did a search for shtool here and found not one thing.

    My server was comprimised with some Kiddie Scripts a few weeks ago so I've locked down the server and monitoring everything very closely. However I just noticed a ton of .shtool files in my /tmp directory. As far as I can tell the tool is used by Cpanel but I haven't been in whm in quite some time.

    -rw------- 1 root root 0 Jul 12 14:14 .shtool.23149
    -rw------- 1 root root 0 Jul 12 14:14 .shtool.23175
    -rw------- 1 root root 0 Jul 12 14:14 .shtool.23201
    -rw------- 1 root root 0 Jul 12 14:14 .shtool.23227
    -rw------- 1 root root 0 Jul 12 14:14 .shtool.23253
    -rw------- 1 root root 0 Jul 12 14:14 .shtool.23279
    -rw------- 1 root root 0 Jul 12 14:14 .shtool.23305
    -rw------- 1 root root 0 Jul 12 14:14 .shtool.23331
    -rw------- 1 root root 0 Jul 12 14:14 .shtool.23357
    -rw------- 1 root root 0 Jul 12 14:14 .shtool.23383
    -rw------- 1 root root 0 Jul 12 14:14 .shtool.23409
    -rw------- 1 root root 0 Jul 12 14:14 .shtool.23435
    -rw------- 1 root root 0 Jul 12 14:14 .shtool.23461
    -rw------- 1 root root 0 Jul 12 14:14 .shtool.23487
    -rw------- 1 root root 0 Jul 12 14:14 .shtool.23513
    -rw------- 1 root root 0 Jul 12 14:14 .shtool.23539
    -rw------- 1 root root 0 Jul 12 14:14 .shtool.23565
    -rw------- 1 root root 0 Jul 12 14:14 .shtool.23591
    -rw------- 1 root root 0 Jul 12 14:17 .shtool.4322
    -rw------- 1 root root 0 Jul 12 14:17 .shtool.4348
    -rw------- 1 root root 0 Jul 12 14:17 .shtool.4374
    -rw------- 1 root root 0 Jul 12 14:17 .shtool.4400
    -rw------- 1 root root 0 Jul 12 14:17 .shtool.4426
    -rw------- 1 root root 0 Jul 12 14:17 .shtool.4452
    -rw------- 1 root root 0 Jul 12 14:17 .shtool.4478
    -rw------- 1 root root 0 Jul 12 14:17 .shtool.4504
    -rw------- 1 root root 0 Jul 12 14:17 .shtool.4530
    -rw------- 1 root root 0 Jul 12 14:17 .shtool.4556
    -rw------- 1 root root 0 Jul 12 14:17 .shtool.4582
    -rw------- 1 root root 0 Jul 12 14:17 .shtool.4608
    -rw------- 1 root root 0 Jul 12 14:17 .shtool.4634
    -rw------- 1 root root 0 Jul 12 14:17 .shtool.4660
    -rw------- 1 root root 0 Jul 12 14:17 .shtool.4686
    -rw------- 1 root root 0 Jul 12 14:17 .shtool.4712
    -rw------- 1 root root 0 Jul 12 14:17 .shtool.4738
    -rw------- 1 root root 0 Jul 12 14:17 .shtool.4764

    Should I be worried? or maybe these are Cpanel doing stuff???
     
  2. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    i had a punk ass kid squirt a folder in tmp called / and fooled my butt for a few minutes also. saw the same thing ..but and 70% sure those are cpanel stuff cause I see it in a couple boxes now.
     
  3. RavenSoul_

    RavenSoul_ Well-Known Member

    Joined:
    Nov 2, 2004
    Messages:
    95
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Belgium
    hmm, strange they are owned by root. You were compromised, you said?

    Try nanoing the file and see what the output gives.

    Code:
    nano shtool.4764
     
  4. GrAfiX

    GrAfiX Member

    Joined:
    Oct 20, 2002
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    0
    They are all 0 bytes so contain nothing.

    Well just some Spammer scripts were in a ... directory. I've ran 3 different rootkits and they all come up clean. They used an exploit in Vbulletin to get it there in the first place and the logs came up with no known worms or anything like that. I've been monitoring the server with Detailed LogWatch and no logins period cept mine in the past week or two.
     
  5. GrAfiX

    GrAfiX Member

    Joined:
    Oct 20, 2002
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    0
    a search for the tools seem to come up in all the right places... Not in any obscure directories or anything.

    /home/cpapachebuild/buildapache/php-5.0.4/build/shtool
    /usr/local/cpanel/src/3rdparty/gpl/rrdtool-1.0.48/contrib/php4/build/shtool
    /usr/local/cpanel/base/horde/kronolith/po/shtool
    /usr/local/cpanel/base/horde/turba/po/shtool
    /usr/local/cpanel/base/horde/imp/po/shtool
    /usr/local/cpanel/base/horde/po/shtool
    /usr/local/cpanel/base/horde/mnemo/po/shtool
    /usr/local/cpanel/base/horde/nag/po/shtool
    /usr/local/cpanel/3rdparty/lib/php/build/shtool
    /usr/local/cpanel/3rdparty/lib/php/php/build/shtool
    /usr/local/lib/php/build/shtool
    /usr/lib/php/build/shtool

    We do have one user that sends tons of Mail thru horde and uses nothing else for mail.. Maybe this is it.
     
  6. RavenSoul_

    RavenSoul_ Well-Known Member

    Joined:
    Nov 2, 2004
    Messages:
    95
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Belgium
  7. GrAfiX

    GrAfiX Member

    Joined:
    Oct 20, 2002
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    0
    Yeah /tmp /var/tmp and /dev/shm are all noexec and there were no other .pl, php, or txt files in there just PHP sessions, mysql and a couple other normal files.
     
  8. quadrahost

    quadrahost Active Member

    Joined:
    Jul 17, 2003
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    6
    I just picked up a new cpanel box from ev1 and the same files were in tmp. I removed them and all seems fine.
     
Loading...

Share This Page