The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Suspicious .tmp Directory

Discussion in 'Security' started by NixTree, Feb 6, 2012.

  1. NixTree

    NixTree Well-Known Member

    Joined:
    Aug 19, 2010
    Messages:
    386
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gods Own Country
    cPanel Access Level:
    Root Administrator
    Hello,

    I have been noticing a common hack over Wordpress on lot of servers. it will create a backdoor in /tmp/.tmp directory. Same kind of hack on all servers!!!!!

    I am sorry, I cannot comeup with more explanation now ! But just would like to know any others are experiencing the same issue!

    PS: the subject should be Suspeciuos .tmp directory

    Thank you,
    Nibin,.
     
  2. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    That could be malicious, or might not be. CSF is telling you the directory is suspicious -- but that does not _guarantee_ that it is malicious. It just means it is something you should look into.

    Just out of curiosity, do you have one or more customers using "shortcode generator" plugin for Wordpress? If so, I think it will create things in /tmp/.tmp/###### (where ###### is today's date, such as YYMMDD -- 120206).

    If it's not shortcode generator doing it, then indeed you need to continue looking to make sure it isn't something malicious. But "suspicious" doesn't always equal "malicious".

    M
     
  3. Curious Too

    Curious Too Well-Known Member

    Joined:
    Aug 31, 2001
    Messages:
    427
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    It's a WordPress hack. See this thread at Webhosting Talk: lfd Suspicious File Alert‏ File: /tmp/.tmp Suspicious directory - Web Hosting Talk

    If you know which sites are generating the file update those sites as soon as possible. If they are up to date and generating that file, remove the wp-admin and wp-includes directories and manually re-install the latest WordPress files/folders.
     
  4. NixTree

    NixTree Well-Known Member

    Joined:
    Aug 19, 2010
    Messages:
    386
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gods Own Country
    cPanel Access Level:
    Root Administrator
    Hello,

    But the worst thing is, I found this hack on many sites without timthumb.php or "shortcode generator" plugin. Most of the WP installations are run by version 3.0.

    Anyway, thanks for your input geeks :)

    Thank you,
    Nibin.
     
  5. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    462
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Not sure if you have mod_security installed on server. If not then install it and add rules
     
    #5 storminternet, Feb 7, 2012
    Last edited: Feb 7, 2012
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,466
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    The links to free delayed rules there on that site have been dead for some time now.
     
  7. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    462
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Thanks, corrected.
     
  8. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,466
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    First line of that file says:

    NOTICE: THESE RULES ARE OBSOLETE AND ARE NO LONGER SUPPORTED
     
  9. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Athens Greece
    exept from the mod sec rules if customers with worpress sites force an update will correct and avoid this issue?
     
  10. mauriciocastro

    mauriciocastro Registered

    Joined:
    Apr 17, 2012
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    resolved my clients:

    login in root:

    nano check_thumbs.sh


    INCLUDE:



    Code:
    #!/bin/bash
    ## ====================================
    # This checks all php files in all document roots
    # for old TimThumb code then overwrites them with
    # the latest version
    ## ====================================
    echo
    dnow=`date +%Y%m%dT%H%M%S`
    
    ## ====================================
    # Get the most current version of TimThumb.php
    ## ====================================
    wget [url]http://timthumb.googlecode.com/svn/trunk/timthumb.php[/url] -O ~/timthumb.php
    
    ## ====================================
    # Generate a list of files, then overwrite them
    ## ====================================
    echo 'Searching for TimThumb files...please be patient (might take hours)'
    grep '(code.google.com/p/timthumb|timthumb.googlecode.com/svn/trunk/timthumb.php)' /home/*/public_html -lroE --include=*.php* > ~/timthumb-$dnow.txt
    
    OLD_IFS=$IFS
    IFS=$'\n'
    for eaTim in `cat ~/timthumb-$dnow.txt`
    do
    ## ====================================
    
    ## ==================================
    # Overwrite with current version and chown to proper owner
    user=`echo $eaTim | awk -F"/" '{print $3}'`
    echo Overwriting $eaTim user $user
    cp timthumb.php "$eaTim"
    chown $user:$user "$eaTim"
    ## ==================================
    
    ## ====================================
    done
    IFS=$OLD_IFS
    ## ====================================
    
    ## ====================================
    # all done!
    ## ====================================
    
    
    #SAVE... 
    

    next: sh check_thumbs.sh

    it necessary to include in cron to find sites with thumb...
     
Loading...

Share This Page