Fli
09-25-2017, 09:49 PM
Hello,
which method You are using to watch and delete malicious script from /tmp directories?
Numerous shared hosting server administrators faced this issue where malicious script was run from the /tmp, probably despite of the noexec mount option.
There is a script that can delete perl, python scripts from /tmp. But it delete it based on the file name extension, not based on the content. If you have better script, please kindly share it.
cat /root/scripts/tmpmonitor/tmpmonitor
while true;do
find /tmp /var/tmp /dev/shm -type f \( -iname "*.pl" -o -iname "*.perl" -o -iname "*.sh" -o -iname "*.py" -o -iname "*.pyc" -o -iname "*.pyo" \) -delete
sleep 1
done
Create another script which you will ran for example every minute to check whether the previous script is running:
cat /root/scripts/tmpmonitor/tmpmonitor_keeprunning
touch /tmp/test.pl
sleep 3
if [ -f /tmp/test.pl ];then
/bin/sh /root/scripts/tmpmonitor/tmpmonitor &
fi
if [[ "$(ps aux|grep maldet|wc -l)" == "1" ]];then
/usr/local/sbin/maldet -m /tmp,/var/tmp,/dev/shm
fi
Note the "maldet" lines. The Maldet (https://internetlifeforum.com/showthread.php?t=2155) is another tool, that can watch yours defined directories for malware and remove it. This way we make sure maldet is running too.
Next step is to setup a cronjob that will run "tmpmonitor_keeprunning" script which is checking the "tmpmonitor" script itself. Do it by adding this line to some cron file in /etc/cron.d/:
* * * * * root /bin/sh /root/scripts/tmpmonitor/tmpmonitor_keeprunning
(cron file should have 600 permissions (chmod 600 file))
which method You are using to watch and delete malicious script from /tmp directories?
Numerous shared hosting server administrators faced this issue where malicious script was run from the /tmp, probably despite of the noexec mount option.
There is a script that can delete perl, python scripts from /tmp. But it delete it based on the file name extension, not based on the content. If you have better script, please kindly share it.
cat /root/scripts/tmpmonitor/tmpmonitor
while true;do
find /tmp /var/tmp /dev/shm -type f \( -iname "*.pl" -o -iname "*.perl" -o -iname "*.sh" -o -iname "*.py" -o -iname "*.pyc" -o -iname "*.pyo" \) -delete
sleep 1
done
Create another script which you will ran for example every minute to check whether the previous script is running:
cat /root/scripts/tmpmonitor/tmpmonitor_keeprunning
touch /tmp/test.pl
sleep 3
if [ -f /tmp/test.pl ];then
/bin/sh /root/scripts/tmpmonitor/tmpmonitor &
fi
if [[ "$(ps aux|grep maldet|wc -l)" == "1" ]];then
/usr/local/sbin/maldet -m /tmp,/var/tmp,/dev/shm
fi
Note the "maldet" lines. The Maldet (https://internetlifeforum.com/showthread.php?t=2155) is another tool, that can watch yours defined directories for malware and remove it. This way we make sure maldet is running too.
Next step is to setup a cronjob that will run "tmpmonitor_keeprunning" script which is checking the "tmpmonitor" script itself. Do it by adding this line to some cron file in /etc/cron.d/:
* * * * * root /bin/sh /root/scripts/tmpmonitor/tmpmonitor_keeprunning
(cron file should have 600 permissions (chmod 600 file))