Portal Home > Knowledgebase > Articles Database > unable to locate the source of suspicious file
unable to locate the source of suspicious file
Posted by xeonfan, 05-29-2010, 05:44 PM |
Got a CSF Alert
suspended user
scanned user using Clamav (no more infection)
grepped the following logs, but got no reference
cpanel access log
ftp logs
/apache/domlogs/
/var/log/messages
usr/local/cpanel/logs/access_log
server is running apache 2.x with strict ruleset from gotroot, csf, secured from some mgmt company.
can some security expert help what exact log i should be looking at ?
the site contains wordpress and multiple joomla installation but if the file was uploaded/injected, there should be a log to see.
any help greatly appreciated.
|
Posted by MikeDVB, 05-29-2010, 05:46 PM |
There are all kinds of ways for files to get into /tmp from php scripts to posts to the server but I wouldn't worry about it as long as you have it mounted with noexec.
|
Posted by xeonfan, 05-29-2010, 06:02 PM |
Thanks for the reply.
tmp is already noexec,
i was just worried why i am not able to find the method using any logs.
|
Posted by khunj, 05-30-2010, 12:57 AM |
In most cases it is because it was uploaded through a POST request. HTTP logs don't display POST payload.
All you may find is a "POST /vulnerable_script.php HTTP/1.1"
|
Posted by madaboutlinux, 05-30-2010, 03:50 AM |
Yes, if such scripts are uploaded using a POST request, you mostly won't see the logs. BTW, having /tmp mounted as exec doesn't mean such scripts cannot be executed under /tmp. There is still a way to execute scripts under /tmp even if it is mounted with noexec,nosuid.
What CSF doing here is a good move, as soon as it detects such files, it make a tar of it and move it under the /etc/csf/ directory.
|
Posted by sharmaine1111, 05-30-2010, 09:27 AM |
I got the same warning from CSF, and though CSF moved it to a tar file, the suspicious files are still in /tmp directory. Shouldn't CSF delete these files?
|
Posted by MaB, 05-30-2010, 08:21 PM |
Check the time stamp of the file (stat /tmp/bds) and then use that to search through the logs. If it was created before the logs were rotated then you won't see information in the logs.
/var/log/messages will generally be rotated every sunday
/usr/local/cpanel/logs/access_log is for the server-wide access logs - ie accesses to virtual hosts that don't exist - you want to check in /usr/local/cpanel/domlogs/$username/ - but those are also rotated daily by cpanel depending on your settings so they may be rotated out. Try checking the suexec logs and suphp logs (check /var/log/httpd and /usr/local/apache/logs and the archive folder).
<>
Last edited by bear; 05-30-2010 at 08:28 PM.
|
Posted by The3bl, 05-30-2010, 10:13 PM |
Check the Joomla installs anything lower than lower than 1.5.18 is vlun.
We have seen quite a few attacks against joomla installs lately.
Have seen that exact file show up in /tmp a few times.
http://developer.joomla.org/security...-back-end.html
|
Posted by server prodigy, 05-31-2010, 02:59 AM |
try: grep -i bds /usr/local/apache/domlogs/*
also check for /tmp/backs
It's a backdoor / rootkit normally uploaded via insecure php. It's more than likely not your user's "fault" other than possibly running an insecure app or permissions on his/ her account.
Clean the file out, check the permissions and vulnerability of the user's setup and educate them / bill them for your time to fix the problem.
|
Add to Favourites Print this Article
Also Read