The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Trojans on /tmp

Discussion in 'General Discussion' started by efeito, Jan 20, 2004.

  1. efeito

    efeito Well-Known Member
    PartnerNOC

    Joined:
    Jul 24, 2003
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    .pt
    Hi all!

    I have noexec on /tmp and no one can execute files on that dir. But there are a lot of "trys".

    I found a lot of files with 777 permissions owned by nobody.nobody.

    How can i track who is putting those files over there? I dont have demo accounts on my server, so is there a way to track this user?

    Thanks a lot for your help
     
  2. Faldran

    Faldran Well-Known Member

    Joined:
    May 28, 2002
    Messages:
    136
    Likes Received:
    0
    Trophy Points:
    16
    yeah, grep your domlogs for all sites on that server..

    If you php+suexec, then that would of been as the user and alot easier to track down. ( but of course not everyone likes php+suexec )

    CD to where ever your domlogs are stored
    grep tmp *

    Should work to find them, then you can be more specific and find what they used etc... after you find the set of domlogs to be looking in with the date/time.
     
  3. efeito

    efeito Well-Known Member
    PartnerNOC

    Joined:
    Jul 24, 2003
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    .pt
    i went to /usr/local/apache/domlogs

    grep tmp *

    and... no reply... nothing!

    :(

    Any other suggestions?
     
  4. efeito

    efeito Well-Known Member
    PartnerNOC

    Joined:
    Jul 24, 2003
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    .pt
    I found how they do it... once again, insecure script inside phpnuke.


    They simply upload files to my tmp easy easy... My_eGallery is the script!

    Take a look at this script, its insecure.

    Regards
     
Loading...

Share This Page