User executing file in /tmp

Nathum

• September 27, 2017 20:25

Hi All, Since a websites been hacked I have had nothing but problems trying to stop processes and scripts from executing. First scripts have been running in the public_html /xxx/yyy directory. So I deleted the yyy directory, later to find that the scripts still running in a directory I deleted. I had killed all processes and restarted apache, but the script remained. I SSH to the users folder and even though file manager said the folder did not exist, SSH show the folder being there. Deleting the folder via SSH did the job. Now I have another issue, the same user is now executing a script in /tmp/ I'm not sure how the script is called, and if it's something to be worried about. However attached a couple of screenshots, and would it be safe to rm all files and folders in /tmp? Thanks ]http://upload.clanhost.com.au/files/1506561815.png
]http://upload.clanhost.com.au/files/1506561861.png

• 

  24x7server

  • September 28, 2017 07:18

  Hi, Do not remove all the files. There is a MySQL sock file too and it will affect MySQL. You can remove all other files.

  0
• 

  cPanelMichael

  • September 28, 2017 14:53

  Hello, Can you verify the version of cPanel installed on this system? Also, are you using any third-party applications such as LiteSpeed or PHP Selector (CloudLinux)? Thank you.

  0
• 

  Nathum

  • September 29, 2017 01:02

  Hi Michael, CENTOS 7.4 xen enterprise hvm No other third-party applications.

  0
• 

  cPanelMichael

  • October 04, 2017 19:10

  Hello, Could you open a support ticket using the link in my signature so we can take a closer look? Thank you.

  0

Please sign in to leave a comment.