Suspicious .tmp Directory

[NixTree]

Hello,

I have been noticing a common hack over Wordpress on lot of servers. it will create a backdoor in /tmp/.tmp directory. Same kind of hack on all servers!!!!!

I am sorry, I cannot comeup with more explanation now ! But just would like to know any others are experiencing the same issue!

PS: the subject should be Suspeciuos .tmp directory

Thank you,
Nibin,.

 

[mtindor]

That could be malicious, or might not be. CSF is telling you the directory is suspicious -- but that does not _guarantee_ that it is malicious. It just means it is something you should look into.

Just out of curiosity, do you have one or more customers using "shortcode generator" plugin for Wordpress? If so, I think it will create things in /tmp/.tmp/###### (where ###### is today's date, such as YYMMDD -- 120206).

If it's not shortcode generator doing it, then indeed you need to continue looking to make sure it isn't something malicious. But "suspicious" doesn't always equal "malicious".

M

 

[Curious Too]

Hello,

I have been noticing a common hack over Wordpress on lot of servers. it will create a backdoor in /tmp/.tmp directory. Same kind of hack on all servers!!!!!

I am sorry, I cannot comeup with more explanation now ! But just would like to know any others are experiencing the same issue!

PS: the subject should be Suspeciuos .tmp directory

Thank you,
Nibin,.

It's a WordPress hack. See this thread at Webhosting Talk: lfd Suspicious File Alert‏ File: /tmp/.tmp Suspicious directory - Web Hosting Talk

If you know which sites are generating the file update those sites as soon as possible. If they are up to date and generating that file, remove the wp-admin and wp-includes directories and manually re-install the latest WordPress files/folders.

 

[NixTree]

Hello,

But the worst thing is, I found this hack on many sites without timthumb.php or "shortcode generator" plugin. Most of the WP installations are run by version 3.0.

Anyway, thanks for your input geeks

Thank you,
Nibin.

 

[storminternet]

Not sure if you have mod_security installed on server. If not then install it and add rules

 

[Infopro]

The links to free delayed rules there on that site have been dead for some time now.

 

[storminternet]

Thanks, corrected.

 

[Infopro]

Thanks, corrected.

First line of that file says:

NOTICE: THESE RULES ARE OBSOLETE AND ARE NO LONGER SUPPORTED

 

[k-planethost]

exept from the mod sec rules if customers with worpress sites force an update will correct and avoid this issue?

 

[mauriciocastro]

resolved my clients:

login in root:

nano check_thumbs.sh


INCLUDE:

#!/bin/bash
## ====================================
# This checks all php files in all document roots
# for old TimThumb code then overwrites them with
# the latest version
## ====================================
echo
dnow=`date +%Y%m%dT%H%M%S`

## ====================================
# Get the most current version of TimThumb.php
## ====================================
wget [url]http://timthumb.googlecode.com/svn/trunk/timthumb.php[/url] -O ~/timthumb.php

## ====================================
# Generate a list of files, then overwrite them
## ====================================
echo 'Searching for TimThumb files...please be patient (might take hours)'
grep '(code.google.com/p/timthumb|timthumb.googlecode.com/svn/trunk/timthumb.php)' /home/*/public_html -lroE --include=*.php* > ~/timthumb-$dnow.txt

OLD_IFS=$IFS
IFS=$'\n'
for eaTim in `cat ~/timthumb-$dnow.txt`
do
## ====================================

## ==================================
# Overwrite with current version and chown to proper owner
user=`echo $eaTim | awk -F"/" '{print $3}'`
echo Overwriting $eaTim user $user
cp timthumb.php "$eaTim"
chown $user:$user "$eaTim"
## ==================================

## ====================================
done
IFS=$OLD_IFS
## ====================================

## ====================================
# all done!
## ====================================


#SAVE...

next: sh check_thumbs.sh

it necessary to include in cron to find sites with thumb...