Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Suspicious .tmp Directory

Discussion in 'Security' started by NixTree, Feb 6, 2012.

  1. NixTree

    NixTree Well-Known Member

    Joined:
    Aug 19, 2010
    Messages:
    405
    Likes Received:
    3
    Trophy Points:
    143
    Location:
    Gods Own Country
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    I have been noticing a common hack over Wordpress on lot of servers. it will create a backdoor in /tmp/.tmp directory. Same kind of hack on all servers!!!!!

    I am sorry, I cannot comeup with more explanation now ! But just would like to know any others are experiencing the same issue!

    PS: the subject should be Suspeciuos .tmp directory

    Thank you,
    Nibin,.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,338
    Likes Received:
    56
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    That could be malicious, or might not be. CSF is telling you the directory is suspicious -- but that does not _guarantee_ that it is malicious. It just means it is something you should look into.

    Just out of curiosity, do you have one or more customers using "shortcode generator" plugin for Wordpress? If so, I think it will create things in /tmp/.tmp/###### (where ###### is today's date, such as YYMMDD -- 120206).

    If it's not shortcode generator doing it, then indeed you need to continue looking to make sure it isn't something malicious. But "suspicious" doesn't always equal "malicious".

    M
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Curious Too

    Curious Too Well-Known Member

    Joined:
    Aug 31, 2001
    Messages:
    428
    Likes Received:
    1
    Trophy Points:
    318
    cPanel Access Level:
    Root Administrator
    It's a WordPress hack. See this thread at Webhosting Talk: lfd Suspicious File Alert‏ File: /tmp/.tmp Suspicious directory - Web Hosting Talk

    If you know which sites are generating the file update those sites as soon as possible. If they are up to date and generating that file, remove the wp-admin and wp-includes directories and manually re-install the latest WordPress files/folders.
     
  4. NixTree

    NixTree Well-Known Member

    Joined:
    Aug 19, 2010
    Messages:
    405
    Likes Received:
    3
    Trophy Points:
    143
    Location:
    Gods Own Country
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    But the worst thing is, I found this hack on many sites without timthumb.php or "shortcode generator" plugin. Most of the WP installations are run by version 3.0.

    Anyway, thanks for your input geeks :)

    Thank you,
    Nibin.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    460
    Likes Received:
    0
    Trophy Points:
    66
    cPanel Access Level:
    Root Administrator
    Not sure if you have mod_security installed on server. If not then install it and add rules
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #5 storminternet, Feb 7, 2012
    Last edited: Feb 7, 2012
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,170
    Likes Received:
    370
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    The links to free delayed rules there on that site have been dead for some time now.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    460
    Likes Received:
    0
    Trophy Points:
    66
    cPanel Access Level:
    Root Administrator
    Thanks, corrected.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,170
    Likes Received:
    370
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    First line of that file says:

    NOTICE: THESE RULES ARE OBSOLETE AND ARE NO LONGER SUPPORTED
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    8
    Trophy Points:
    68
    Location:
    Athens Greece
    exept from the mod sec rules if customers with worpress sites force an update will correct and avoid this issue?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. mauriciocastro

    mauriciocastro Registered

    Joined:
    Apr 17, 2012
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    resolved my clients:

    login in root:

    nano check_thumbs.sh


    INCLUDE:



    Code:
    #!/bin/bash
    ## ====================================
    # This checks all php files in all document roots
    # for old TimThumb code then overwrites them with
    # the latest version
    ## ====================================
    echo
    dnow=`date +%Y%m%dT%H%M%S`
    
    ## ====================================
    # Get the most current version of TimThumb.php
    ## ====================================
    wget [url]http://timthumb.googlecode.com/svn/trunk/timthumb.php[/url] -O ~/timthumb.php
    
    ## ====================================
    # Generate a list of files, then overwrite them
    ## ====================================
    echo 'Searching for TimThumb files...please be patient (might take hours)'
    grep '(code.google.com/p/timthumb|timthumb.googlecode.com/svn/trunk/timthumb.php)' /home/*/public_html -lroE --include=*.php* > ~/timthumb-$dnow.txt
    
    OLD_IFS=$IFS
    IFS=$'\n'
    for eaTim in `cat ~/timthumb-$dnow.txt`
    do
    ## ====================================
    
    ## ==================================
    # Overwrite with current version and chown to proper owner
    user=`echo $eaTim | awk -F"/" '{print $3}'`
    echo Overwriting $eaTim user $user
    cp timthumb.php "$eaTim"
    chown $user:$user "$eaTim"
    ## ==================================
    
    ## ====================================
    done
    IFS=$OLD_IFS
    ## ====================================
    
    ## ====================================
    # all done!
    ## ====================================
    
    
    #SAVE... 
    

    next: sh check_thumbs.sh

    it necessary to include in cron to find sites with thumb...
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice