Is my Server Compromised? - Bash Script loaded through PHP in TMP

C

crspyjohn

Verified User
Joined
May 5, 2006
Messages
43
I thought I secured TMP when I setup the server but I guess I forgot. Last night I received a notice from LFD about a suspicious file.

lfd[949]: *Suspicious File* /tmp/php5aIKvW [auser1:auser1 (507:508)] - Script, starts with #!

The site is running Glype Proxy, with suphp. When I checked the TMP folder the file was gone (assumed it was auto-cleared and the notice was 2-3 days ago). I deleted the entire tmp folder contents, deleted the site and reuploaded all the files, ran chkrootkit + rkhunter and everything appears alright.

What else should I do to check if my server has been compromised?
 
Peter Laws said:
You could try rootkit hunter (like you did) and maldetect (look in How-to forum for a tutorial)... But it really depends on what the shell script did/does.
Click to expand...

Tried both and server appears to be fine. Wish I caught the email sooner, my php script clears tmp every 6 hours so I wasn't able to see what was inside it. Guess I'll just do a server reformat this weekend =/
 
Maybe not for this problem, but it could always be the case that the server is also infected with malware somewhere.
It's a wise thing to install maldet in any case.
 
You must log in or register to reply here.
Back
Top