The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Suspicious directory

Discussion in 'General Discussion' started by chad101, Apr 21, 2007.

  1. chad101

    chad101 Active Member

    Joined:
    Jun 17, 2006
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    ConfigServer sent me a notice about a suspicious directory, below is the email notice

    Time: Fri Apr 20 14:34:13 2007
    File: /tmp/...
    Reason: Suspicious directory
    Owner: nobody:nobody
    Action: No action taken

    After reviewing the /temp directory I found hundreds of “dos-###.###.###.###” files.
    dos-12.144.227.180
    dos-122.168.72.110
    dos-128.194.21.188
    dos-64.193.216.68

    Is my server compromised with some kind of botnet?
     
  2. big_bull

    big_bull Well-Known Member

    Joined:
    Nov 19, 2006
    Messages:
    150
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    hey

    is it /tmp or /temp
     
  3. chad101

    chad101 Active Member

    Joined:
    Jun 17, 2006
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Sorry, typo; it is /tmp.
     
  4. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Sure looks to me like a compromise, someone's using your box to ddos others. You need to get it cleaned up. :(

    Might want to start grepping your logs and see if you can find where, how and when they got in... GL
     
  5. pross

    pross Well-Known Member

    Joined:
    Mar 14, 2005
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    those files are used by mod_doevasive
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,476
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Yep. And can be searched for on these forums. There's also some threads about securing your tmp.
     
  7. chad101

    chad101 Active Member

    Joined:
    Jun 17, 2006
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Thank you, I did some searches before posting (never tried the “dos-+tmp” search string, sorry).

    Thank you for the help :)
     
  8. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Don't think so, as the only thing dos evasive should have in tmp is the lockfile I believe. And as Chirpy points out - not when they're in "..." - that's something someone is trying to hide from you through relative obscurity.
     
    #8 mctDarren, Apr 24, 2007
    Last edited: Apr 24, 2007
  9. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    If those files are within /tmp/.../ then they're not for mod_evasive (only if they're in the top level of /tmp would they most likely be fore mod_evasive). Since /tmp/.../ has likely been generated by an exploit uploaded onto the server, as serversphere has said, it's going to be a PHP web script that has been compromised. You need to investigate both the contents of that directory and how it was created.
     
    #9 chirpy, Apr 24, 2007
    Last edited: Apr 24, 2007
Loading...

Share This Page