Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

User executing file in /tmp

Discussion in 'Security' started by Nathum, Sep 27, 2017.

  1. Nathum

    Nathum Member

    Joined:
    Aug 12, 2014
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi All,

    Since a websites been hacked I have had nothing but problems trying to stop processes and scripts from executing.

    First scripts have been running in the public_html /xxx/yyy directory. So I deleted the yyy directory, later to find that the scripts still running in a directory I deleted. I had killed all processes and restarted apache, but the script remained. I SSH to the users folder and even though file manager said the folder did not exist, SSH show the folder being there. Deleting the folder via SSH did the job.

    Now I have another issue, the same user is now executing a script in /tmp/

    I'm not sure how the script is called, and if it's something to be worried about. However attached a couple of screenshots, and would it be safe to rm all files and folders in /tmp?

    Thanks
    [​IMG]



    [​IMG]
     
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,484
    Likes Received:
    60
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    Do not remove all the files. There is a MySQL sock file too and it will affect MySQL. You can remove all other files.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Can you verify the version of cPanel installed on this system? Also, are you using any third-party applications such as LiteSpeed or PHP Selector (CloudLinux)?

    Thank you.
     
  4. Nathum

    Nathum Member

    Joined:
    Aug 12, 2014
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi Michael,

    CENTOS 7.4 xen enterprise hvm No other third-party applications.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you open a support ticket using the link in my signature so we can take a closer look?

    Thank you.
     
Loading...

Share This Page