unable to locate the source of suspicious file

Portal Home > Knowledgebase > Articles Database > unable to locate the source of suspicious file

Posted by xeonfan, 05-29-2010, 05:44 PM
Got a CSF Alert suspended user scanned user using Clamav (no more infection) grepped the following logs, but got no reference cpanel access log ftp logs /apache/domlogs/ /var/log/messages usr/local/cpanel/logs/access_log server is running apache 2.x with strict ruleset from gotroot, csf, secured from some mgmt company. can some security expert help what exact log i should be looking at ? the site contains wordpress and multiple joomla installation but if the file was uploaded/injected, there should be a log to see. any help greatly appreciated.
Posted by MikeDVB, 05-29-2010, 05:46 PM
There are all kinds of ways for files to get into /tmp from php scripts to posts to the server but I wouldn't worry about it as long as you have it mounted with noexec.
Posted by xeonfan, 05-29-2010, 06:02 PM
Thanks for the reply. tmp is already noexec, i was just worried why i am not able to find the method using any logs.
Posted by khunj, 05-30-2010, 12:57 AM
In most cases it is because it was uploaded through a POST request. HTTP logs don't display POST payload. All you may find is a "POST /vulnerable_script.php HTTP/1.1"
Posted by madaboutlinux, 05-30-2010, 03:50 AM
Yes, if such scripts are uploaded using a POST request, you mostly won't see the logs. BTW, having /tmp mounted as exec doesn't mean such scripts cannot be executed under /tmp. There is still a way to execute scripts under /tmp even if it is mounted with noexec,nosuid. What CSF doing here is a good move, as soon as it detects such files, it make a tar of it and move it under the /etc/csf/ directory.
Posted by sharmaine1111, 05-30-2010, 09:27 AM
I got the same warning from CSF, and though CSF moved it to a tar file, the suspicious files are still in /tmp directory. Shouldn't CSF delete these files?
Posted by MaB, 05-30-2010, 08:21 PM
Check the time stamp of the file (stat /tmp/bds) and then use that to search through the logs. If it was created before the logs were rotated then you won't see information in the logs. /var/log/messages will generally be rotated every sunday /usr/local/cpanel/logs/access_log is for the server-wide access logs - ie accesses to virtual hosts that don't exist - you want to check in /usr/local/cpanel/domlogs/$username/ - but those are also rotated daily by cpanel depending on your settings so they may be rotated out. Try checking the suexec logs and suphp logs (check /var/log/httpd and /usr/local/apache/logs and the archive folder). <> Last edited by bear; 05-30-2010 at 08:28 PM.
Posted by The3bl, 05-30-2010, 10:13 PM
Check the Joomla installs anything lower than lower than 1.5.18 is vlun. We have seen quite a few attacks against joomla installs lately. Have seen that exact file show up in /tmp a few times. http://developer.joomla.org/security...-back-end.html
Posted by server prodigy, 05-31-2010, 02:59 AM
try: grep -i bds /usr/local/apache/domlogs/* also check for /tmp/backs It's a backdoor / rootkit normally uploaded via insecure php. It's more than likely not your user's "fault" other than possibly running an insecure app or permissions on his/ her account. Clean the file out, check the permissions and vulnerability of the user's setup and educate them / bill them for your time to fix the problem.

Add to Favourites Print this Article