The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

thousands of files in tmp

Discussion in 'General Discussion' started by naguib2000, Dec 5, 2005.

  1. naguib2000

    naguib2000 Member

    Joined:
    May 12, 2004
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    i find thousands of files in /tmp

    they all begin with the letter cdk

    for example
    dkzUZXNX cdkzuZxrZ cdkZuZYgy cdkZUZz75 cdkzv02Me cdkzv0CWC cdkzv0EOI cdkzv0I36 cdkZv0jEm cdkzV0Kck cdkZV0pvt cdkzv1BtA cdkZv1C7Z cdkZV1HzJ cdkzV1YZw cdkZV29a8 cdkZV2E8X cdkZv2Ich cdkZV2qKu cdkZv39JA cdkzV4NxX cdkzv4OFY cdkzv4Wwe cdkZV4z2y cdkzv59YM cdkzv5qX3 cdkzv62xA cdkzV664g cdkZV6jI3 cdkzV6KpO cdkZV738g cdkzV7TAH cdkZV81gf cdkZv8F8Y cdkzV8HUY cdkZV8OE7 cdkZV97QU cdkzV9ghF cdkZV9t5c cdkZVAa2T cdkzVACKz cdkZVAEeq cdkzVAiOA cdkZVAlf9 cdkZvalKX cdkZVb06v cdkZvB3E5 cdkzvB4ff cdkzVbFrP cdkzVbIES cdkzVbmd6 cdkZVBU4Y cdkZvBukd cdkzvBw9n cdkZvBy8Z cdkzvBzmr cdkZvc2ZW cdkZVC5Es cdkzVC9oV cdkzvCemY cdkZvcH08 cdkZVcirT cdkZvcmFo cdkZVCmPN cdkZVCr9m cdkzvCZbb cdkzVDa2g cdkzVDcDL cdkZVDiJo cdkZVdlsj cdkzVDlXb cdkzVDrb1 cdkzvdten cdkzvDVEZ cdkZVe1SH cdkzVECb7 cdkzvEjRb cdkzvELMh cdkzvEo6U cdkzVEp1l cdkzvESSe cdkzvET6b cdkzvEZfa cdkzVF0JP cdkzvF46J cdkzvFa4K cdkZVfD01 cdkZvffLV cdkzVftvU cdkZVfvzD cdkZvFwbN cdkzvG1UI cdkZvg3Jf cdkZVGcw7 cdkzVGDfy cdkZVghrC cdkzvGjPu cdkzVGK77 cdkzVgMt5 cdkzvgnfI cdkzVH1re cdkZVhEVQ cdkzVHFrt cdkzVhwC6 cdkzvI7oA cdkzvidCC cdkzviJ7Q cdkZviJqm cdkZvIm8N cdkZvIUUY cdkzviVDF cdkZvj1mV cdkzVjDcc cdkzVjeic cdkzvJJYc cdkZVk8SZ cdkzvkdsq cdkzVKhXL cdkzvKiPM cdkzVKNI7 cdkZvKsg9 cdkzVKyfr cdkZVlC9X cdkZvLKuv cdkZVlPUt cdkzVLs9f cdkzvLtZf cdkz





    --------------------------------------------------------------------------------

    it is even not easy for "ls" to display them , nor easy to remove them at once

    can i know what are these files about ??
    and do they introduce any security or performance risk ?
     
  2. naguib2000

    naguib2000 Member

    Joined:
    May 12, 2004
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    can any body help
     
  3. Jorel

    Jorel Well-Known Member

    Joined:
    Aug 15, 2003
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    you won't hurt anything by removing them. if they are owned by 'nobody' i would definitely remove them. i say kill 'em.
     
  4. naguib2000

    naguib2000 Member

    Joined:
    May 12, 2004
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    thank you for your fast reply jorel

    but i am really concerned , how are they generated , and what application do they relate to
     
  5. Jorel

    Jorel Well-Known Member

    Joined:
    Aug 15, 2003
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    i've encountered them on my server and when there get to be too many i just remove them. i'm not sure what script creates them but i'm pretty sure they are harmless. you can always try viewing one of them to check for any malicious code. just make sure there isn't anything else suspicious in there.
     
  6. yawsh

    yawsh Well-Known Member

    Joined:
    Jun 20, 2004
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    Any fix for this?

    I'm having same problem now :(
     
  7. yawsh

    yawsh Well-Known Member

    Joined:
    Jun 20, 2004
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    The strange thing on it that I have deleted them all and noticed that its created back very fast.

    Second thing is that it is 0 byte file - nothing in it.
    PHP:
       0 -rw-------   1 nobody nobody       0 Jan 11 15:41 cdk76JBx8
       0 
    -rw-------   1 nobody nobody       0 Jan 11 15:41 cdk8FTD1B
       0 
    -rw-------   1 nobody nobody       0 Jan 11 15:41 cdkboDfEU
       0 
    -rw-------   1 nobody nobody       0 Jan 11 15:41 cdkbPKd1T
       0 
    -rw-------   1 nobody nobody       0 Jan 11 15:41 cdkjLLd0n
       0 
    -rw-------   1 nobody nobody       0 Jan 11 15:41 cdkkvG4CM
       0 
    -rw-------   1 nobody nobody       0 Jan 11 15:41 cdkMyLUmd
       0 
    -rw-------   1 nobody nobody       0 Jan 11 15:41 cdktVXAZT
    Some files are 160 byte which having this code:
    PHP:
    <?php

    require_once ('mysql.inc.php');
    require_once (
    'getlang.php');


    session_start();
    $time_start getmicrotime();
    require_once (
    'functions.admin.php');

    require_once (
    'upload.inc.php');
    include_once (
    'templates/footer.html');


    $time_end getmicrotime();


    ob_end_flush();
    ?>

    I tried to find some of the code in /home
    PHP:
    find -type f -name '*.*' -exec grep -s getmicrotime() {} \; -print |more
    and I got this result:
    PHP:
       $lasttime=getmicrotime()-0.9;
     $currenttime=getmicrotime();
    ./xxxx/public_html/OLD_site/ibr/getroommsgs.php
               $timestm=getmicrotime();        
    ./xxxx/public_html/OLD_site/ibr/band4ever.php
             { $timestm=getmicrotime();        
    ./xxxx/public_html/OLD_site/ibr/sendmsgtoroom.php
    function getmicrotime(){ 
    ./xxxx/public_html/OLD_site/ibr/func.php
               $timestm=getmicrotime();        
    ./xxxx/public_html/OLD_site/ibr/bandtmp.php
          $this->TimeStart = getmicrotime();
          $this->TimeTotal = @round(getmicrotime() - $this->TimeStart,4);
      function getmicrotime()
    ./xxxx/public_html/up/so.php
    if (!function_exists("getmicrotime")) {function getmicrotime() {list($usec, $sec) = explode(" ", microtime()); return ((float)$use
    c + (float)$sec);}}
    define("starttime",getmicrotime());
        $ftpquick_st = getmicrotime();
        $ftpquick_t = round(getmicrotime()-$ftpquick_st,4);
      $searchtime = getmicrotime();
      $searchtime = round(getmicrotime()-$searchtime,4);
        $st = getmicrotime();
        $dt = round(getmicrotime()-$st,4);
    <br><TABLE style="BORDER-COLLAPSE: collapse" height=1 cellSpacing=0 borderColorDark=#666666 cellPadding=0 width="100%" bgColor=#333333 borderColorLight=#c0c0c0 
    border=1><tr><td width="990" height="1" valign="top"><p align="center"><b>--[ c99shell v. <?php echo $shver?> <a href="<?php echo $surl?>act=about"><u><b>po
    wered by</b></u></a> Captain Crunch Security Team | <a href="http://ccteam.ru"><font color="#FF0000">http://ccteam.ru</font></a><font color="#FF0000"></font> | 
    Generation time: <?php echo round(getmicrotime()-starttime,4); ?> ]--</b></p></td></tr></table>
    ./xxxx/public_html/up/dr.php.3gp
    Which is somehow a shell is upladed -- >> dr.php.3gp


    But till now I did not find any shell uploaded.

    If it not that important, why /tmp is getting full within 2 days?
    Then MySql stops working and creating many issues.


    thanks for your reply HelloAdam :)


    Any other commets on this guys?
     
  8. HelloAdam

    HelloAdam Well-Known Member

    Joined:
    Nov 6, 2005
    Messages:
    145
    Likes Received:
    0
    Trophy Points:
    16
    Hey,

    Its the /tmp folder what do you expect to be in their? Any program or script that is on your server is going to use that folder.

    Should make sure that your /tmp have noexe on it.

    From,
    Adam
     
  9. yawsh

    yawsh Well-Known Member

    Joined:
    Jun 20, 2004
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    BTW: I wrote my last reply after HelloAdam :confused: how his reply came after mine???
     
  10. xerophyte

    xerophyte Well-Known Member

    Joined:
    Mar 16, 2003
    Messages:
    216
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Those are session files, looks like someone doing something weird,

    you are searching for wrong thing above please search for these files

    • mysql.inc.php
    • getlang.php
    • functions.admin.php
    • upload.inc.php
    • templates/footer.html

    in file name and content using find.

    That should help you find the folder of the script which is responsible for those /tmp files


    hope that helps
     
Loading...

Share This Page