Quote:
Originally Posted by Capt_Caveman
Check the contents of the file system for suspicious files or dirs, especially look in /tmp and the httpd server root.
|
What is considered to be suspicious?
In the /tmp folder, there are some files that are owned by user apache...
I think those file owned by user apache are suspicious.
What should I do with them? Just delete them?
What should or shouldn't be in the /tmp folder?
[root@www tmp]# ls -l
total 3880
-rwxr--r-- 1 apache apache 33927 Dec 16 02:23 b
-rwxr-xr-x 1 apache apache 103 Dec 15 23:22 conect
-rw------- 1 apache apache 299008 Dec 21 08:07 core.10633
-rw------- 1 apache apache 299008 Dec 20 00:50 core.10984
-rw------- 1 apache apache 299008 Dec 19 07:24 core.13233
-rwxr--r-- 1 apache apache 469240 Dec 19 16:29 d
-rw-r--r-- 1 apache apache 469240 Dec 19 16:29 d.1
-rw-r--r-- 1 apache apache 469240 Dec 19 16:29 d.2
-rw-r--r-- 1 apache apache 469240 Dec 19 16:29 d.3
-rw-r--r-- 1 apache apache 469240 Dec 19 16:29 d.4
-rwxr--r-- 1 apache apache 33927 Dec 19 02:11 g
drwx------ 3 root root 4096 Dec 21 17:04 gconfd-root
-rw-r--r-- 1 apache apache 2309 Dec 21 18:43 listen.log
-rwxr--r-- 1 apache apache 462364 Dec 19 02:06 lordnikon
-rwxr--r-- 1 apache apache 462908 Dec 15 23:06 mass
-rwxr-xr-x 1 apache apache 94 Dec 19 16:47 mirela
-rw-r--r-- 1 apache apache 97 Dec 20 12:56 mirela.1
-rw-r--r-- 1 apache apache 97 Dec 20 12:56 mirela.2
-rw-r--r-- 1 apache apache 97 Dec 20 12:56 mirela.3
-rw-r--r-- 1 apache apache 97 Dec 20 12:56 mirela.4
-rwxr-xr-x 1 apache apache 116 Dec 19 02:07 nikons
drwx------ 2 root root 4096 Dec 21 18:44 orbit-root
-rwxr--r-- 1 apache apache 34913 Dec 19 19:11 w
-rw-r--r-- 1 apache apache 34913 Dec 20 12:33 w.1
I ran rkhunter, and it didn't detect any rootkit.