Audit Apache process creating files in /tmp

Posted on

Audit Apache process creating files in /tmp – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about linux, apache-2.2, , , .

We have a Linux server at a large hosting provider that has approximately 75 Joomla! websites being hosted on it. We use maldet to scan daily for possible malware on all these sites. In the last week or so, files have been showing up in /tmp

/tmp/20130930-202240-UkpAAEBaJ74AABlPLiMAAAAL-file-cdQfYQ
/tmp/20131001-004117-Ukp8nUBaJ74AAGD@-W0AAAAD-file-P6KfRr
/tmp/20131001-004128-Ukp8qEBaJ74AAGEdQ88AAAAI-file-W65Hp6

They are owned by the user apache runs as, and they contain malicious encoded PHP code. We would like to find out which site, or sites, are being attacked. We need to know where or how these files are being created from. Obviously, just 1 user account controls all those sites, so that makes things difficult to narrow down.

Is there anyway to audit Apache and determine which website these files are being created from?

Thanks, Jay

Solution :

You should examine apache2-mod-itk and provide a user by virtualhost. You will find easilly which user have a problem, which virtualhost should be stopped, which file is created, which packet is going through your iptables firewall…

Then it becomes easy in a shared world

do you have a list of your joomla-sites telling you, which of it are outdated? there was an ugly flaw recently, allowing for remote code execution

exploit-scanners WILL find your sites, esp. when telling which version they run on, so my guess: every outdated joomla-instance should be investigated.

Perhaps correlate the timestamps between the /tmp files and your Apache access logs? Depending on your timestamp resolution and how busy your sites are, you might be able to identify which requests are creating the files.

If you are using ext4, you could turn off atime on ext4 so that file access times mimics file creation times, and use logger to send access logs from apache to rsyslog, and together these measures would give you fairly precise timestamps, not necessarily 100% accurate but quite possibly good enough to track things down.

For adjusting ext4 options, see:

man 8 mount
man 5 fstab

For adjusting Apache logs, see:

http://httpd.apache.org/docs/2.2/logs.html

Something like:

CustomLog "|/usr/bin/logger -p local6.info" vhost_combined

For adjusting syslog settings, see:

man 8 rsyslogd

Leave a Reply

Your email address will not be published.