Files In /tmp with names like undo.#prelink#.1i4VZ5

celiac101

December 30, 2014 15:53

Recently I noticed some strange files appearing and disappearing in /tmp. They typically look like this: user user 467K Nov 18 01:26 undo.#prelink#.1iytZ5 and are owned by the main user of the sites I run on the server. After much searching and reading, this thread seems to sum it up best, but offers no final conclusion: [url=http://www.webhostingtalk.com/showthread.php?t=1426035]Strange /tmp/undo.#prelink#.XXXXXXXX files in /tmp - Hosting Security and Technology - Web Hosting Talk It appears they are associated with: "dovecot is doing a prelink command on cPanel machines". I do use Dovecot and cPanel, so perhaps these are nothing to worry about, however, last night my server crashed for the first time in years, and in /tmp there where dozens of these type of files, which I deleted. The do come back after deletion, and have different names.

Comments

3 comments

cPanelMichael

January 05, 2015 20:31
]however, last night my server crashed for the first time in years, and in /tmp there where dozens of these type of files, which I deleted.

Hello :) Could you review /var/log/messages and /var/log/dmesg and see if there is any particular output just before your server rebooted? Thank you.
0
celiac101

January 06, 2015 16:30
Sorry it took so long...for the first one /var/log/messages I see this type of output:
Jan 4 03:28:31 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=77.54.45.119 DST=198.24.145.124 LEN=52 TOS=0x08 PREC=0x40 TTL=112 ID=9486 DF PROTO=TCP SPT=50064 DPT=80 WINDOW=8192 RES=0$ Jan 4 03:28:31 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=77.54.45.119 DST=198.24.145.124 LEN=52 TOS=0x08 PREC=0x40 TTL=112 ID=9487 DF PROTO=TCP SPT=50065 DPT=80 WINDOW=8192 RES=0$ Jan 4 03:28:31 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=77.54.45.119 DST=198.24.145.124 LEN=52 TOS=0x08 PREC=0x40 TTL=112 ID=9491 DF PROTO=TCP SPT=50068 DPT=80 WINDOW=8192 RES=0$ Jan 4 03:28:31 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=77.54.45.119 DST=198.24.145.124 LEN=52 TOS=0x08 PREC=0x40 TTL=112 ID=9483 DF PROTO=TCP SPT=50061 DPT=80 WINDOW=8192 RES=0$ Jan 4 03:28:31 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=77.54.45.119 DST=198.24.145.124 LEN=52 TOS=0x08 PREC=0x40 TTL=112 ID=9485 DF PROTO=TCP SPT=50063 DPT=80 WINDOW=8192 RES=0$ Jan 4 03:28:34 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=77.54.45.119 DST=198.24.145.124 LEN=52 TOS=0x08 PREC=0x40 TTL=112 ID=9691 DF PROTO=TCP SPT=50065 DPT=80 WINDOW=8192 RES=0$ Jan 4 03:28:36 scott kernel: Firewall: *UDP_IN Blocked* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=93.174.93.210 DST=209.188.8.93 LEN=118 TOS=0x00 PREC=0x00 TTL=247 ID=54321 PROTO=UDP SPT=56047 DPT=1900 LEN=98 Jan 4 03:28:42 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=77.54.45.119 DST=198.24.145.124 LEN=48 TOS=0x08 PREC=0x40 TTL=112 ID=9812 DF PROTO=TCP SPT=50082 DPT=80 WINDOW=8192 RES=0$ Jan 4 03:28:42 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=77.54.45.119 DST=198.24.145.124 LEN=48 TOS=0x08 PREC=0x40 TTL=112 ID=9813 DF PROTO=TCP SPT=50083 DPT=80 WINDOW=8192 RES=0$ Jan 4 03:28:42 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=77.54.45.119 DST=198.24.145.124 LEN=48 TOS=0x08 PREC=0x40 TTL=112 ID=9814 DF PROTO=TCP SPT=50084 DPT=80 WINDOW=8192 RES=0$ Jan 4 03:28:42 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=77.54.45.119 DST=198.24.145.124 LEN=48 TOS=0x08 PREC=0x40 TTL=112 ID=9815 DF PROTO=TCP SPT=50085 DPT=80 WINDOW=8192 RES=0$ Jan 4 03:28:43 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=77.54.45.119 DST=198.24.145.124 LEN=48 TOS=0x08 PREC=0x40 TTL=112 ID=9860 DF PROTO=TCP SPT=50097 DPT=80 WINDOW=8192 RES=0$ Jan 4 03:28:45 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=77.54.45.119 DST=198.24.145.124 LEN=48 TOS=0x08 PREC=0x40 TTL=112 ID=9928 DF PROTO=TCP SPT=50082 DPT=80 WINDOW=8192 RES=0$ Jan 4 03:29:07 scott kernel: Firewall: *TCP_IN Blocked* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=93.174.93.218 DST=209.188.8.94 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=54321 PROTO=TCP SPT=49702 DPT=8080 WINDOW=65535 R$ Jan 4 03:30:08 scott lfd[31149]: SYSLOG check [a2ZWR7H1G2CQcRO] Jan 4 03:30:26 scott pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1 Jan 4 03:30:26 scott pure-ftpd: (?@127.0.0.1) [INFO] Logout. Jan 4 03:31:17 scott kernel: Firewall: *TCP_IN Blocked* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=93.174.93.51 DST=198.24.145.124 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=54321 PROTO=TCP SPT=33258 DPT=2009 WINDOW=65535 $ Jan 4 03:33:07 scott kernel: Firewall: *TCP_IN Blocked* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=23.95.12.34 DST=198.24.145.126 LEN=40 TOS=0x08 PREC=0x20 TTL=237 ID=58901 PROTO=TCP SPT=43102 DPT=23 WINDOW=1024 RES=$ Jan 4 03:34:25 scott kernel: Firewall: *UDP_IN Blocked* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=198.245.66.219 DST=198.24.145.122 LEN=432 TOS=0x08 PREC=0x20 TTL=46 ID=0 DF PROTO=UDP SPT=5325 DPT=5060 LEN=412 Jan 4 03:34:25 scott kernel: Firewall: *UDP_IN Blocked* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=198.245.66.219 DST=198.24.145.123 LEN=431 TOS=0x08 PREC=0x20 TTL=46 ID=0 DF PROTO=UDP SPT=5325 DPT=5060 LEN=411 Jan 4 03:34:25 scott kernel: Firewall: *UDP_IN Blocked* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=198.245.66.219 DST=198.24.145.124 LEN=431 TOS=0x08 PREC=0x20 TTL=46 ID=0 DF PROTO=UDP SPT=5325 DPT=5060 LEN=411 Jan 4 03:34:25 scott kernel: Firewall: *UDP_IN Blocked* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=198.245.66.219 DST=198.24.145.125 LEN=431 TOS=0x08 PREC=0x20 TTL=46 ID=0 DF PROTO=UDP SPT=5325 DPT=5060 LEN=411 Jan 4 03:34:25 scott kernel: Firewall: *UDP_IN Blocked* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=198.245.66.219 DST=198.24.145.126 LEN=425 TOS=0x08 PREC=0x20 TTL=46 ID=0 DF PROTO=UDP SPT=5325 DPT=5060 LEN=405 Jan 4 03:34:29 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=213.205.253.93 DST=198.24.145.124 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=37314 DF PROTO=TCP SPT=58997 DPT=80 WINDOW=14600 RE$ Jan 4 03:34:29 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=213.205.253.93 DST=198.24.145.124 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=55711 DF PROTO=TCP SPT=63129 DPT=80 WINDOW=14600 RE$ Jan 4 03:34:30 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=213.205.253.93 DST=198.24.145.124 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=5093 DF PROTO=TCP SPT=55118 DPT=80 WINDOW=14600 RES$ Jan 4 03:34:30 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=213.205.253.93 DST=198.24.145.124 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=37315 DF PROTO=TCP SPT=58997 DPT=80 WINDOW=14600 RE$ Jan 4 03:34:30 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=213.205.253.93 DST=198.24.145.124 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=55712 DF PROTO=TCP SPT=63129 DPT=80 WINDOW=14600 RE$ Jan 4 03:34:32 scott kernel: Firewall: *Port Flood* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=213.205.253.93 DST=198.24.145.124 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=37316 DF PROTO=TCP SPT=58997 DPT=80 WINDOW=14600 RE$ Jan 4 03:35:08 scott lfd[31149]: SYSLOG check [mYfSJfyQzMWZCk6gc0O7fnIgpa] Jan 4 03:35:09 scott kernel: Firewall: *TCP_IN Blocked* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=58.83.146.252 DST=209.188.8.92 LEN=48 TOS=0x00 PREC=0x00 TTL=106 ID=39433 PROTO=TCP SPT=30468 DPT=22 WINDOW=65535 RES$ Jan 4 03:35:13 scott kernel: Firewall: *TCP_IN Blocked* IN=eth1 OUT= MAC=00:25:90:95:83:1b:74:8e:f8:93:10:cc:08:00 SRC=23.95.12.34 DST=198.24.145.124 LEN=40 TOS=0x08 PREC=0x20 TTL=238 ID=55404 PROTO=TCP SPT=43102 DPT=23 WINDOW=1024 RES=$ Jan 4 03:35:28 scott pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1 Jan 4 03:35:28 scott pure-ftpd: (?@127.0.0.1) [INFO] Logout. Jan 4 03:36:22 scott named[31231]: client 207.219.56.130#59839: view external: query (cache) '171.3.10.10.in-addr.arpa/PTR/IN' denied
and for /var/log/dmesg I see:
Initializing cgroup subsys cpuset Initializing cgroup subsys cpu Linux version 2.6.32-504.3.3.el6.x86_64 (mockbuild@cdb8.bsys.dev.centos.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-11) (GCC) ) #1 SMP Wed Dec 17 01:55:02 UTC 2014 Command line: ro root=UUID=4d2fbd0b-1216-42cd-b015fgd977d3434 rd_NO_LUKS rd_NO_LVM LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet KERNEL supported cpus: Intel GenuineIntel AMD AuthenticAMD Centaur CentaurHauls BIOS-provided physical RAM map: BIOS-e820: 0000000000000000 - 000000000009b400 (usable) BIOS-e820: 000000000009b400 - 00000000000a0000 (reserved) BIOS-e820: 00000000000e0000 - 0000000000100000 (reserved) BIOS-e820: 0000000000100000 - 000000007e413000 (usable) BIOS-e820: 000000007e413000 - 000000007e532000 (ACPI NVS) BIOS-e820: 000000007e532000 - 000000007f1cb000 (reserved) BIOS-e820: 000000007f1cb000 - 000000007f245000 (ACPI data) BIOS-e820: 000000007f245000 - 000000007f334000 (reserved) BIOS-e820: 000000007f334000 - 000000007f335000 (ACPI NVS) BIOS-e820: 000000007f335000 - 000000007f33a000 (reserved) BIOS-e820: 000000007f33a000 - 000000007f342000 (ACPI NVS) BIOS-e820: 000000007f342000 - 000000007f36b000 (reserved) BIOS-e820: 000000007f36b000 - 000000007f800000 (ACPI NVS) BIOS-e820: 0000000080000000 - 0000000090000000 (reserved) BIOS-e820: 00000000fed1c000 - 00000000fed40000 (reserved) BIOS-e820: 00000000ff000000 - 0000000100000000 (reserved) BIOS-e820: 0000000100000000 - 0000001080000000 (usable) DMI 2.7 present. SMBIOS version 2.7 @ 0xF04C0 DMI: Supermicro X9DRW/X9DRW, BIOS 1.0a 04/26/2012 AMI BIOS detected: BIOS may corrupt low RAM, working around it. e820 update range: 0000000000000000 - 0000000000010000 (usable) ==> (reserved) e820 update range: 0000000000000000 - 0000000000001000 (usable) ==> (reserved) e820 remove range: 00000000000a0000 - 0000000000100000 (usable) last_pfn = 0x1080000 max_arch_pfn = 0x400000000 MTRR default type: uncachable MTRR fixed ranges enabled: 00000-9FFFF write-back A0000-BFFFF uncachable C0000-FFFFF write-protect MTRR variable ranges enabled: 0 base 000000000000 mask 3FF000000000 write-back 1 base 001000000000 mask 3FFF80000000 write-back 2 base 000080000000 mask 3FFF80000000 uncachable 3 disabled 4 disabled 5 disabled 6 disabled 7 disabled 8 disabled 9 disabled x86 PAT enabled: cpu 0, old 0x7040600070406, new 0x7010600070106 original variable MTRRs reg 0, base: 0GB, range: 64GB, type WB reg 1, base: 64GB, range: 2GB, type WB reg 2, base: 2GB, range: 2GB, type UC total RAM covered: 65536M Found optimal setting for mtrr clean up
0
cPanelMichael

January 07, 2015 19:05
Was that the most recent output, or the output just before your server rebooted? Has it happened anymore since this time? You may want to consult with your data center if it continues to be an issue, as I don't see anything cPanel-related causing a reboot. Thank you.
0

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?