Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Suspicious File Alert: Tracking where the file has come from

Discussion in 'Security' started by Legin76, Jul 22, 2013.

  1. Legin76

    Legin76 Well-Known Member

    Joined:
    Dec 11, 2007
    Messages:
    172
    Likes Received:
    2
    Trophy Points:
    68
    Hi

    I've been getting a few Suspicious File Alert alerts lately from ldf. There have been two files involved bing.php a couple of times and config.php once. I'm pretty sure a site on my server has been compromised but don't know how to track down where it has come from.

    The details are below. I have deleted the file but next time how do I find the user it came from and which site has been hacked.

    Time: Mon Jul 22 07:36:15 2013 +0100
    File: /tmp/config.php
    Reason: Script, file extension
    Owner: nobody:nobody (99:99)
    Action: No action taken

    This server has dso and suEXEC turned on but does not Ruid2 turned on.
     
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,834
    Likes Received:
    85
    Trophy Points:
    78
    Location:
    India
    cPanel Access Level:
    Root Administrator
    As the files are having nobody ownership it is being hard investigate who have uploaded this file. But for security I would suggest you to keep your tmp secured with nosuexec,nosuid, also please check if there are phpshell script present on your server which can upload such files.

    Further, I would suggest you to use mod_security on your server instead of ruid2.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,344
    Likes Received:
    1,854
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello :)

    Have you considered using suPHP as your PHP handler instead of DSO? You can find more information on suPHP and some of the considerations when using it at:

    cPanel - PHP Request Handling

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. Legin76

    Legin76 Well-Known Member

    Joined:
    Dec 11, 2007
    Messages:
    172
    Likes Received:
    2
    Trophy Points:
    68
    Thanks guys.

    We do have mod_security with ConfigServer ModSecurity Control set up. I'm sure there were a couple of sites with white lists on a few rules as it was being a bit aggressively but none so there doesn't appear to be a way for me to list sites with reduced restrictions or that have it turned off.

    The tmp directory is set as follows /dev/sda6 on /tmp type ext3 (rw,noexec,nosuid)

    I've avoided suPHP as I gather that it's quite a bit slower and to be honest the server is already near capacity.

    Is there a way in DSO without ruid2 or suphp that I can force userid's on the file uploads? I've got ruid2 on our newest server but that's only got a couple of sites on it so far.

    I've gone though all the sites that I think are most at risk and done a virus scan on them (Joomla or wordpress etc) but can see nothing that so far appears to be an issue.
     
  5. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    352
    Likes Received:
    7
    Trophy Points:
    168
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    It might be worth using the file's created time to check against the domlogs for suspicious requests? Depending on how often lfd is set to scan tmp/generate alerts (I think the default is 300 seconds) the alert may not be bang on for the timestamp you need to be looking for.

    While it's a bit impractical for every plugin / component it might at least be worth scanning through for outdated wordpress / joomla etc installs and suspending any that are out of date.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. ShmellyCat

    ShmellyCat Registered

    Joined:
    Jan 15, 2014
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi,

    I'm kind of a newbie at this, and don't yet understand dso and suEXEC and ruid2.

    I have also received a suspicious file alert from a file in the temp folder.

    Time: Fri Jan 17 03:06:16 2014 -0500
    File: /tmp/zvOmDhmG
    Reason: Linux Binary
    Owner: bestweit:bestweit (744:743)
    Action: No action taken

    I was hoping I could delete the suspicious file. The thing is, I don't even see it. If I go into cpanel>File Manager> and access the .tmp folder, there is nothing there but the folders for awstats, etc. Nothing that removely starts with "zvOmDhmG". I've selected 'show hidden files' but I still didn't find it.

    Any idea how I could locate this file?
     
  7. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    352
    Likes Received:
    7
    Trophy Points:
    168
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    It's very likely it was uploaded, tried, and then deleted again to prevent any sort of after the fact forensics being done on the file. I'd take a look at the web log for the bestweit account at around this time and see what scripts were being accessed.

    EDIT: Ah - bear in mind that you won't be able to see this file within the account's cPanel filemanager in any case, the report is referencing the server's /tmp/ folder, which you'd need to access via ssh on a root shell or via WHM with an appropriate file management plugin if you have one installed
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #7 ThinIce, Jan 17, 2014
    Last edited: Jan 17, 2014
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice