Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Suspicious files in /var/tmp

Discussion in 'Security' started by mwabini, May 17, 2019.

  1. mwabini

    mwabini Registered

    Joined:
    Apr 27, 2019
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Kenya
    cPanel Access Level:
    Root Administrator
    Hello,

    I have noticed time and again that, somehow a file or several files exist in /var/tmp folder that are owned by normal cpanel users without any escalated privileges. The files are then run from a cron job in the users account. See attachment.

    The result is:
    1. High CPU and RAM usage for the user or high number of processes.
    2. User running several processes of sendmail and postfix. This is normally visible via top command in terminal.
    3. Users tasks run for a very long time and have to be killed from WHM.

    All these users ever found always run Wordpress installations in their cpanel accounts. And the wordpress installations are always compromised


    On each cPanel server, I run /scripts/securetmp during setup. I also disable some php functions eg exec(). But these are scripts run using perl, anyway.

    I know this indicates a compromise in the account but am puzzeled on the following issues:
    1. How is the user able to create or upload a file in /var/tmp which is owned by root? How can I prevent this from happening?
    2. Are there perl functions that are harmful and need to be disabled as well, just as we do for PHP?
    3. Is there a way to restrict or disable sending mail via Perl scripts and sendmail(). Is it advisable to disable these?
     

    Attached Files:

  2. GOT

    GOT Get Proactive! PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,370
    Likes Received:
    154
    Trophy Points:
    193
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    /var/tmp is owned by root, but it is chmod 777 which gives all users full access, as it needs to be.

    You cannot disable these perl functions in any useful way and yes it would break many other things, much of cPanel is written using perl.

    You can stop regular users from directly sending mail which is what most of these types of malware do. They bypass exim and connect out directly to destinations. If you have CSF installed, the option is SMTP_BLOCK and further refinement are in the subsequent settings. If you do not have CSF installed, cPanel has its own method of doing it which is in tweak settings called Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelLauren and mwabini like this.
  3. mwabini

    mwabini Registered

    Joined:
    Apr 27, 2019
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Kenya
    cPanel Access Level:
    Root Administrator

    Thanks GOT for the reply.

    I have enabled the options SMTP_BLOCK in CSF and I have seen these changes along with others take positive effect on spamming from the servers.

    In this case, is there any other particular thing that can be done to prevent upload of the malicious files on the /var/tmp folder? Or is it something that will always be done and all I can do is ensure scripts sent there cant spam even when run?
     
  4. GOT

    GOT Get Proactive! PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,370
    Likes Received:
    154
    Trophy Points:
    193
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,815
    Likes Received:
    443
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    I'd second @GOT suggestion for a malware scanner such as Imunify, you can also configure ClamAV which comes with cPanel to scan Configure ClamAV Scanner - Version 80 Documentation - cPanel Documentation
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice