Portal Home > Knowledgebase > Articles Database > suspicious file in temp
suspicious file in temp
| Posted by mehi60, 08-24-2013, 11:20 AM |
| Dear All,
Kindly please help,
Recently I got lots of alert from LFD in cPanel server that contain:
lfd on ........: Suspicious File Alert
-------------------------------------------
File: /tmp/crakmedia_cache.php
I checked the file it's contain script and iframe from bad site,
In "ls -l" I can see who is the owner of the file, but i don't know witch part of site make the file, when I delete the file it re create in minute.
How can I find witch part of site make this file and how to prevent it.
Thanks.
|
| Posted by khunj, 08-24-2013, 12:21 PM |
| You can check if the user has a cron job that may be used to reinstall the file every minutes.
|
| Posted by BestServerSupport, 08-24-2013, 12:55 PM |
| I would suggest you to secure /tmp by adding nodev, nosuid, and noexec options.
|
| Posted by mehi60, 08-25-2013, 12:17 AM |
| it's show
......[~]# crontab -l -u .....
SHELL="/usr/local/cpanel/bin/jailshell"
Also I secure /tmp before.
I believe one script on that user's site is making this file, but I need some thing like log file or tracking system to monitor and watch the temp then tel me what script or page is making this.
Thanks
|
| Posted by whmxtra, 08-26-2013, 02:40 AM |
| grep the accces logs for apache and for a short term solution add a cron to delete any php files in /tmp as there is no need for any php file to exist in tmp.
|
| Posted by Kailash12, 08-26-2013, 02:46 AM |
| What is the ownership of the file? If it is user:user, you should look into that certain user. Most probably you have compromised scripts on the server...
|
| Posted by mehi60, 08-27-2013, 12:09 AM |
| I could not find any in Apache log,
I know the user, user is running openX (open source add management),I check all the issue may reported by them, but everything was clean,
If we could monitor /temp and find who (witch script) make the file, was great, we dont have any thing to watch the folder and tel us all activities on it ?
|
| Posted by Kailash12, 08-27-2013, 12:52 AM |
| You can run Maldet or ClamAv to find potentially harmful script. If there is any suspicious script, the scan should report this.
|
| Posted by JustinAY, 08-27-2013, 02:22 AM |
| Most likely, if you scan the user's public_html with maldet (as stated above) you will find the account has multiple malware files on it. Most likely, also, you will find this is an outdated WordPress/Joomla/insert-popular-cms-here install.
http://www.rfxn.com/projects/linux-malware-detect/
This is actually fairly common and is, a majority of the time, a product of your users not keeping their installs updated.
|
| Posted by khunj, 08-27-2013, 04:15 AM |
| Which version is he using? There were several issues with it.
You can use inotify to monitor your files. There are several scripts implementing it. It is also available for several scripting languages (Perl etc).
But since you know who is the user, monitoring should not be needed.
Did you check for suspicious scripts in the openx/www/images/ and openx/var/cache folders?
|
| Posted by buysell-browse, 08-27-2013, 05:22 AM |
| Sounds like a cache file for ads.crakmedia.com [76.74.193.188]
Last edited by buysell-browse; 08-27-2013 at 05:26 AM.
|
| Posted by GouroB, 08-27-2013, 07:05 AM |
| ah great thanks , it helped a mate of mine too
|
Add to Favourites 
Print this Article
Also Read
