The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Suspicious File Alert: Tracking where the file has come from

Discussion in 'Security' started by Legin76, Jul 22, 2013.

  1. Legin76

    Legin76 Well-Known Member

    Joined:
    Dec 11, 2007
    Messages:
    151
    Likes Received:
    1
    Trophy Points:
    18
    Hi

    I've been getting a few Suspicious File Alert alerts lately from ldf. There have been two files involved bing.php a couple of times and config.php once. I'm pretty sure a site on my server has been compromised but don't know how to track down where it has come from.

    The details are below. I have deleted the file but next time how do I find the user it came from and which site has been hacked.

    Time: Mon Jul 22 07:36:15 2013 +0100
    File: /tmp/config.php
    Reason: Script, file extension
    Owner: nobody:nobody (99:99)
    Action: No action taken

    This server has dso and suEXEC turned on but does not Ruid2 turned on.
     
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    As the files are having nobody ownership it is being hard investigate who have uploaded this file. But for security I would suggest you to keep your tmp secured with nosuexec,nosuid, also please check if there are phpshell script present on your server which can upload such files.

    Further, I would suggest you to use mod_security on your server instead of ruid2.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Have you considered using suPHP as your PHP handler instead of DSO? You can find more information on suPHP and some of the considerations when using it at:

    cPanel - PHP Request Handling

    Thank you.
     
  4. Legin76

    Legin76 Well-Known Member

    Joined:
    Dec 11, 2007
    Messages:
    151
    Likes Received:
    1
    Trophy Points:
    18
    Thanks guys.

    We do have mod_security with ConfigServer ModSecurity Control set up. I'm sure there were a couple of sites with white lists on a few rules as it was being a bit aggressively but none so there doesn't appear to be a way for me to list sites with reduced restrictions or that have it turned off.

    The tmp directory is set as follows /dev/sda6 on /tmp type ext3 (rw,noexec,nosuid)

    I've avoided suPHP as I gather that it's quite a bit slower and to be honest the server is already near capacity.

    Is there a way in DSO without ruid2 or suphp that I can force userid's on the file uploads? I've got ruid2 on our newest server but that's only got a couple of sites on it so far.

    I've gone though all the sites that I think are most at risk and done a virus scan on them (Joomla or wordpress etc) but can see nothing that so far appears to be an issue.
     
  5. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    It might be worth using the file's created time to check against the domlogs for suspicious requests? Depending on how often lfd is set to scan tmp/generate alerts (I think the default is 300 seconds) the alert may not be bang on for the timestamp you need to be looking for.

    While it's a bit impractical for every plugin / component it might at least be worth scanning through for outdated wordpress / joomla etc installs and suspending any that are out of date.
     
  6. ShmellyCat

    ShmellyCat Registered

    Joined:
    Jan 15, 2014
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi,

    I'm kind of a newbie at this, and don't yet understand dso and suEXEC and ruid2.

    I have also received a suspicious file alert from a file in the temp folder.

    Time: Fri Jan 17 03:06:16 2014 -0500
    File: /tmp/zvOmDhmG
    Reason: Linux Binary
    Owner: bestweit:bestweit (744:743)
    Action: No action taken

    I was hoping I could delete the suspicious file. The thing is, I don't even see it. If I go into cpanel>File Manager> and access the .tmp folder, there is nothing there but the folders for awstats, etc. Nothing that removely starts with "zvOmDhmG". I've selected 'show hidden files' but I still didn't find it.

    Any idea how I could locate this file?
     
  7. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    It's very likely it was uploaded, tried, and then deleted again to prevent any sort of after the fact forensics being done on the file. I'd take a look at the web log for the bestweit account at around this time and see what scripts were being accessed.

    EDIT: Ah - bear in mind that you won't be able to see this file within the account's cPanel filemanager in any case, the report is referencing the server's /tmp/ folder, which you'd need to access via ssh on a root shell or via WHM with an appropriate file management plugin if you have one installed
     
    #7 ThinIce, Jan 17, 2014
    Last edited: Jan 17, 2014
Loading...

Share This Page