The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What's supposed to be in /tmp?

Discussion in 'General Discussion' started by welo, Dec 17, 2003.

  1. welo

    welo Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    71
    Likes Received:
    0
    Trophy Points:
    6
    I was just cleaning out my /tmp dir (someone put an eggdrop in there) and now am wondering just what would get screwed up if I emptied the whole dir. Stuff like the horde.log are self evident, yet f.ex. it's full of files like:

    sess_f76b804611cead759591434b09cdd4c3

    containing:

    username|s:5:"admin";password|s:7:"Nk648Et";level|s:5:"admin";

    Since I am uncertain what these logs mean exactly I'm not sure whether it's safe to delete them or not. Recent episodes with the trojan and now this mysteriously appearing eggdrop have me a little edgy. Any advice?
     
  2. welo

    welo Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    71
    Likes Received:
    0
    Trophy Points:
    6
    I was just checking and apparently all the sess_xxx logs are due to mcrypt. I suppose this means it's safe to delete them.
     
  3. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    The only files supposed to be in /tmp are "sess_" files, "mysql.sock" and the Horde.log file. In /var/tmp the only file should be mysql.sock.

    There have been quite a few instances of scripts appearing in both these directories lately. The servers have been pulled because they are compromised - BUT the server is NOT actually compromised. The answer would be to write a simple script to delete all files from these directories that aren't supposed to be there (Fantastico uses /tmp for a short time). Run the script from cron every minute.

    Low overhead simple solution.
     
  4. sv1

    sv1 Well-Known Member

    Joined:
    Aug 31, 2003
    Messages:
    135
    Likes Received:
    0
    Trophy Points:
    16
    you wouldn't happen to have a script like this would you?
     
  5. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    When I get time I'll write one... and post it...
     
  6. sv1

    sv1 Well-Known Member

    Joined:
    Aug 31, 2003
    Messages:
    135
    Likes Received:
    0
    Trophy Points:
    16
    Thanks.
     
  7. compunet2

    compunet2 Well-Known Member

    Joined:
    Feb 21, 2003
    Messages:
    310
    Likes Received:
    0
    Trophy Points:
    16
    that would be great!
     
  8. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    If your server attacks another server, then yes, they have to pull it. You have to do somthing before the attacks begin. Reality is, that any of your users could use their account in the same way...

    The only difference is that /tmp doesn't have bandwidth limitations.
     
  9. ricoche

    ricoche Well-Known Member

    Joined:
    Feb 7, 2003
    Messages:
    108
    Likes Received:
    0
    Trophy Points:
    16
    Hi there,

    I have files such as this for example, "ssh-XXfNpdf3" It's a directory with another file inside that looks like this: "agent.13696="

    Is this something I can delete?

    Thank you.

    In fact, not including the sess files, here is what I currently have in my /temp folder.

    *********************
    .casp3000/
    .casp5101/
    ClamAVBusy.lock
    fantasticodl.tgz
    footer.tmpl
    header.tmpl
    horde.log
    ixed/
    license.php
    mt-throttle.db
    mysql.sock -> /var/lib/mysql/mysql.sock=
    README
    .s.PGSQL.5432=
    .s.PGSQL.5432.lock
    ssh-XX0dlFd8/
    ssh-XX490Uv1/
    ssh-XX7OD4T8/
    ssh-XXfNpdf3/
    ssh-XXgSlEDu/
    ssh-XXHcUGJu/
    ssh-XXhXfeBi/
    ssh-XXJHw172/
    ssh-XXSEOK38/
    ssh-XXsjAlaH/
    ssh-XXV2Gsgj/
    ssh-XXVDbbKN/
    ssh-XXviBOsD/
    ssh-XXwQfXEQ/
    ssh-XXXznot7/
    ssh-XXZnse70/
    *******************

    Thanks again.
     
    #9 ricoche, Dec 19, 2003
    Last edited: Dec 19, 2003
Loading...
Similar Threads - What's supposed tmp
  1. Drumrocker365
    Replies:
    6
    Views:
    436
  2. GoWilkes
    Replies:
    8
    Views:
    2,474

Share This Page