infected files detected in /tmp - how to find actual file name and path

KV Karia

• November 06, 2017 23:32

Today, I got malware detect alert as under: FILE HIT LIST: {HEX}php.malware.fopo.538 : /tmp/20171106-153532-WgAz6@gWpWvvRn0QlYP2pwAAAGA-file-Rt8qKW {HEX}php.malware.fopo.538 : /var/tmp/20171106-153532-WgAz6@gWpWvvRn0QlYP2pwAAAGA-file-Rt8qKW My query is: 1) How to find from which website or path url it is uploaded or trying to upload ?

• 

  24x7server

  • November 07, 2017 04:42

  Hi, Go through the maldet session files to check for this report: /tmp/20171106-153532-WgAz6@gWpWvvRn0QlYP2pwAAAGA-file-Rt8qKW If nothing is found, then you can restore this particular session and then when it goes back to the original place, you can check the ownership of this file to get to know what user actually uploaded it.

  0
• 

  KV Karia

  • November 07, 2017 04:49

  1) How to find actual file name after restore? 2) It is infected file hence not recommended to restore it. any other way?

  0
• 

  cPanelMichael

  • November 07, 2017 13:19

  Hello, You may find the following thread helpful: Log Checking Thank you.

  0
• 

  KV Karia

  • November 08, 2017 05:35

  Hello, Log Checking

  
  It is more about configure maldet / clamav with modsec (facing challenge in that also but I will raise separate topic for that) Still I unable to find way of my query : How to find from which website or path url it is uploaded or trying to upload ?

  0
• 

  cPanelMichael

  • November 08, 2017 15:29

  Hello, This is generally a task you should seek out help from a system administrator for if the log checking thread is unhelpful. We provide a list of system admin services at: System Administration Services | cPanel Forums Thank you.

  0

Please sign in to leave a comment.