PHP files of a website inside /tmp?

[Arieh]

I just updated php after I updated mysql, and I got some notices from CSF/LFD of Suspicious File Alerts. As it turns out, there are many php files of the one website that is running on that box inside /tmp.

/tmp/<a_filename_of_the_website>-20141127-233428.php

Is an example, I replace the real name of the file. The original file is just the real name without those -number-number.

There are also directories, named almost the same, with different numbers and without .php, but inside the dir there are also php files.

The contents seem to be exactly the contents of the original file.

They are chowned as the user:user of that website.

I think this shouldn't be happening, my first guess is some kind of cache, I don't know.

I also updated CSF, might be the case that is only detecting it now, unrelated to the build of php.

Here is the CB settings I use on that box:

#PHP Settings
php1_release=5.5
php1_mode=mod_php
php2_release=no
php2_mode=php-fpm
opcache=no
htscanner=no
php_ini=no
php_timezone=Europe/Amsterdam
php_ini_type=production
ioncube=no
zend=yes
suhosin=no
x_mail_header=yes

#MySQL Settings
mysql=5.6
mysql_inst=yes
mysql_backup=yes
mysql_backup_dir=/usr/local/directadmin/custombuild/mysql_backups
mysql_force_compile=no

#WEB Server Settings
webserver=nginx_apache
apache_ver=2.4
apache_mpm=auto
mod_ruid2=yes
harden_symlinks_patch=yes
use_hostname_for_alias=auto
redirect_host=main-server
redirect_host_https=no

#WEB Applications Settings
phpmyadmin=yes
phpmyadmin_ver=4
squirrelmail=no
roundcube=yes

#ClamAV-related Settings
clamav=yes
clamav_exim=yes
proftpd_uploadscan=no
pureftpd_uploadscan=no
suhosin_php_uploadscan=no

#Mail Settings
exim=yes
eximconf=yes
spamassassin=yes
dovecot=yes
pigeonhole=no

#FTP Settings
ftpd=pureftpd

#Statistics Settings
awstats=no
webalizer=yes

#CustomBuild Settings
custombuild=2.0
autover=no
bold=yes
clean=yes
cleanapache=yes
clean_old_tarballs=yes
clean_old_webapps=yes
downloadserver=files1.directadmin.com

#Cronjob Settings
cron=yes
cron_frequency=daily
email=<my_email>
notifications=yes
da_autoupdate=no
updates=no
webapps_updates=no

#CloudLinux Settings
cloudlinux=no
cagefs=no

#Advanced Settings
autoconf=yes
automake=yes
libtool=yes
curl=yes
new_pcre=no

webapps_inbox_prefix=no
eximconf_release=2.1
blockcracking=no
easy_spam_fighter=no
modsecurity=no
modsecurity_ruleset=comodo
dovecot_conf=no

 

[smtalk]

Is your /tmp directory mounted with nosuid,noexec options? (#1 of http://help.directadmin.com/item.php?id=247)

 

[Arieh]

No it is not. At this point I don't think it's a hack or anything, since it's just the same files (older versions ones also) as my own application, and dates differ from months apart.

 

[Arieh]

Ok I think I may have found the source, I think WinSCP have placed these files there, all the files contain 20141127-2334xx which would stand for 2014/11/27 23:34 at which time I was uploading all those files; I may have aborted them - that I can't recall. For now let's consider this case closed, thanks for reading my topic smtalk.