The Community Forums

Interact with an entire community of cPanel & WHM users.
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Track where files in tmp are coming from ? [merged]

Discussion in 'General Discussion' started by jeroman8, Jul 4, 2005.

  1. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    Exploited - php script spamming in TMP

    I had a catalog .J in tmp with a php script using txt files with thousands of mail addresses
    to send all these mails form my server. So someone is using my server to spamm.
    The load is up to about 10 with lots of exim processes.

    Now, I know that PERL scripts can be run in TMP even if you have the secure tmp installed.
    But how can a php file be running there ?

    In cpu load this is the line showing:
    php envia.txt hotmail54.txt frux.htm msnplus@msn.com Novo MSN PATCH PLUS, Confira!

    But what I really wonder is that the php script was called eniva.txt and when I did a search for this file I found it in /home/virtfs/username/tmp
    I guess this is symlinked to the real tmp catalog but no other Shell users had
    these files in their virtfs catalogs so it makes me wonder....why ?

    I have killed the processes and the script but if not this one other "exploted stuff" will come back. What I reall would like is a cpanel security tweak with low, medium, high and safe options :) for the whole server.
     
  2. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    Track where files in tmp are coming from ?

    Is this impossible ?

    Sometimes there's PERL files and sometimes it'sphp files doing crazy
    stuff like ddos other server, spamming etc.
    The server is pretty secure, I had r-fx to secure it a while back and then
    I also removed some of the worldwritable folders like /...apache/proxy,
    var/spool/samba and more...

    Anyway - I just wonder - is there like a script so I can see WHERE the files is coming from ?
    SSH, FTP, Exploited script...

    Can't find any trace in logs (domlogs, messages, error, access, secure)
     
  3. lankyb

    lankyb Well-Known Member

    Joined:
    Sep 21, 2004
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Peterborough, UK
    You could see who has ownership of the files by using the 'ls -l' command.

    Example Output:
    Code:
    
    root@server1 [~]# cd /tmp
    root@server1 [/tmp]# ls -l
    total 190
    drwxrwxrwt   3 root     root     13312 Jul  5 08:46 ./
    drwxr-xr-x  22 root     root      4096 Jun 18 00:46 ../
    drwx------   2 root     root     12288 Mar  1 21:17 lost+found/
    lrwxrwxrwx   1 root     root        27 Apr 15 19:32 mysql.sock -> ../var/lib/mysql/mysql.sock=
    -rw-------   1 user1    user1    39954 Jul  1 11:20 sess_1a65d6a27599587234973efcf5879b39
    -rw-------   1 user1    user1    35690 Jun 29 23:17 sess_35f882a44ecfc93771bb02604b47936b
    -rw-------   1 nobody   nobody     435 Jun 29 01:26 sess_6b3a260c37efd91371365264be0ed4f7
    -rw-------   1 user1    user1    42757 Jun 30 22:58 sess_6dfbedd7728dd560f2cb737f0fa2557b
    -rw-------   1 user1    user1    37177 Jun 30 14:58 sess_a41e3a26bf903119a16412503db88b9b
    -rw-rw----   1 user2    user2       13 Jul  3 05:28 user2-session-0.83293378663166
    root@hd-t715cl [/tmp]#
     
  4. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    Yes, thanks but it's nobody always that owns the files so it has probably been
    uploaded by a php script. I'd like to know if it is possible to see from which script
    or how it came up in the tmp folder.

    I guess there's no way seeing this.
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    If they're owned by nobody then you most likely have vulnerable php scripts running on your server. The most likely contenders are currently phpBB and phpNuke. You need to make sure each and everyone has phpBB running v2.0.16. Tracking back can only really be done by checking the creation dates and then tracing through the apache errorlog and the user domlogs looking for suspicious activity.
     
  6. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    In addition to PhpBB, PhpNuke, check out osCommerce, esupport, and personal cgi/php scripts written by clients. Clean up and secure your server before it's too late.
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Well that's you're responsibility (to secure it) as the server admin ;)

    As to php scripts in /tmp, you just have to parse them through the interpreter, i.e. php -f /tmp/exploitfile.
     
  8. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    The one he is referring to here is definately from a phpBB exploit. I have caught several of these in the past week, they are running a php curl command calling a file from another server and creating a tmp file in the form of an alphabet letter. The easiest way I found them was look at the Apache status in WHM, it gives you a full line with the full command. It also tells you what domain the exploit is coming from.
     
  9. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    I missunderstan a thing so deleted the post
     
    #9 jeroman8, Jul 6, 2005
    Last edited: Jul 6, 2005
Loading...

Share This Page