Suspicious files in /var/tmp
Hello,
I have noticed time and again that, somehow a file or several files exist in /var/tmp folder that are owned by normal cpanel users without any escalated privileges. The files are then run from a cron job in the users account. See attachment.
The result is:
1. High CPU and RAM usage for the user or high number of processes.
2. User running several processes of sendmail and postfix. This is normally visible via top command in terminal.
3. Users tasks run for a very long time and have to be killed from WHM.
All these users ever found always run Wordpress installations in their cpanel accounts. And the wordpress installations are always compromised
On each cPanel server, I run /scripts/securetmp during setup. I also disable some php functions eg exec(). But these are scripts run using perl, anyway.
I know this indicates a compromise in the account but am puzzeled on the following issues:
1. How is the user able to create or upload a file in /var/tmp which is owned by root? How can I prevent this from happening?
2. Are there perl functions that are harmful and need to be disabled as well, just as we do for PHP?
3. Is there a way to restrict or disable sending mail via Perl scripts and sendmail(). Is it advisable to disable these?
-
/var/tmp is owned by root, but it is chmod 777 which gives all users full access, as it needs to be. You cannot disable these perl functions in any useful way and yes it would break many other things, much of cPanel is written using perl. You can stop regular users from directly sending mail which is what most of these types of malware do. They bypass exim and connect out directly to destinations. If you have CSF installed, the option is SMTP_BLOCK and further refinement are in the subsequent settings. If you do not have CSF installed, cPanel has its own method of doing it which is in tweak settings called Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak) 0 -
/var/tmp is owned by root, but it is chmod 777 which gives all users full access, as it needs to be. You cannot disable these perl functions in any useful way and yes it would break many other things, much of cPanel is written using perl. You can stop regular users from directly sending mail which is what most of these types of malware do. They bypass exim and connect out directly to destinations. If you have CSF installed, the option is SMTP_BLOCK and further refinement are in the subsequent settings. If you do not have CSF installed, cPanel has its own method of doing it which is in tweak settings called Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak)
Thanks GOT for the reply. I have enabled the options SMTP_BLOCK in CSF and I have seen these changes along with others take positive effect on spamming from the servers. In this case, is there any other particular thing that can be done to prevent upload of the malicious files on the /var/tmp folder? Or is it something that will always be done and all I can do is ensure scripts sent there cant spam even when run?0 -
You could use an active malware scanner. Here's a couple good ones Imunify360 - home cPMalScan - cPanel Malware Scanner | Tijeers 0 -
In this case, is there any other particular thing that can be done to prevent upload of the malicious files on the /var/tmp folder? Or is it something that will always be done and all I can do is ensure scripts sent there cant spam even when run?
I'd second @GOT suggestion for a malware scanner such as Imunify, you can also configure ClamAV which comes with cPanel to scan Configure ClamAV Scanner - Version 80 Documentation - cPanel Documentation0
Please sign in to leave a comment.
Comments
4 comments