Malware tmp folder
I get this from maldet one in month. Any one now what is this? If is dangerous how to prevent?
I have last cPanel (no 3rd party software) and last kernel so system is updated.
FILE HIT LIST:
{HEX}php.malware.fopo.538 : /tmp/systemd-private-11cbc4cb89194d10b68f70c00007011e-ea-php56-php-fpm.service-St7D8B/tmp/phpYRhpBm => /usr/local/maldetect/quarantine/phpYRhpBm.706132374
-
Hi, Check which user has uploaded this file. The user data may be infected causing this to occur.. # ls -l /tmp/systemd-private-11cbc4cb89194d10b68f70c00007011e-ea-php56-php-fpm.service-St7D8B/tmp/phpYRhpBm OR check the maldet session logs to check when it was quarantined and what process recalled it.. 0 -
Hello, Let us know if the previous post helps. Note that Maldet is a third-party application, so you may want to reach out to a system administrator for additional assistance if you don't receive additional user-feedback on this thread: System Administration Services | cPanel Forums Thank you. 0 -
Hello, thank you for answer. Session log show only what is in report i check it with "maldet -l". That folder don't exist because i have enabled quarantine so message is: No such file or directory. Any other suggestions? 0 -
That folder don't exist because i have enabled quarantine
Hello, Does the file exist in the /usr/local/maldetect/quarantine directory? If so, you could view the file to verify it's contents to see if it's legitimate. Note, if it's detecting "/usr/lib/systemd/system/ea-php56-php-fpm.service", here's how the contents of that file should look:# cat /usr/lib/systemd/system/ea-php56-php-fpm.service [Unit] Description=The PHP FastCGI Process Manager After=syslog.target network.target network-online.target [Service] Type=notify PIDFile=/opt/cpanel/ea-php56/root/usr/var/run/php-fpm/php-fpm.pid EnvironmentFile=/opt/cpanel/ea-php56/root/etc/sysconfig/php-fpm ExecStart=/opt/cpanel/ea-php56/root/usr/sbin/php-fpm --nodaemonize ExecReload=/bin/kill -USR2 $MAINPID PrivateTmp=true [Install] WantedBy=multi-user.target
Thank you.0 -
Actually no, in quarantine there is no file/folders like that. I will check next time (because it happens couple times in month) directly in quarantine and update this threads. 0 -
Hello. content of one of them is: 8D9AAC4D8E44392996B8CDF782); die();?>
second:# owner:group:mode:size(b):md5:atime(epoch):mtime(epoch):ctime(epoch):file(path) CPANELACCOUNT:CPANELACCOUNT:600:71:0e95b1762b4f353bec9209d75350:1523196703:1523196508:1523196508:/tmp/systemd-private-21c4a2923244dbbd6c0543722c8f4-ea-php56-php-fpm.service-SBugLp/tmp/phpZRL1RW
maldet:maldet(20913): {scan} scan completed on /home/CPANELACCOUNT: files 3076, malware hits 0, cleaned hits 0, time 44s
cat /usr/lib/systemd/system/ea-php56-php-fpm.service [Unit] Description=The PHP FastCGI Process Manager After=syslog.target network.target network-online.target securetmp.service [Service] Type=notify PIDFile=/opt/cpanel/ea-php56/root/usr/var/run/php-fpm/php-fpm.pid EnvironmentFile=/opt/cpanel/ea-php56/root/etc/sysconfig/php-fpm ExecStart=/opt/cpanel/ea-php56/root/usr/sbin/php-fpm --nodaemonize ExecReload=/bin/kill -USR2 $MAINPID PrivateTmp=true LimitNOFILE=infinity [Install] WantedBy=multi-user.target0 -
Hello, The contents of the /usr/lib/systemd/system/ea-php56-php-fpm.service file that you provided match what I see on a test system. However, I believe you are referring to the contents of the PHP file in the /tmp directory. I don't see any obvious signs of malicious intent based on the information you provided, but you may want to reach out to a system administrator for additional assistance if want a more in-depth investigation: System Administration Services | cPanel Forums Thank you. 0
Please sign in to leave a comment.
Comments
7 comments