Hello,

which method You are using to watch and delete malicious script from /tmp directories?
Numerous shared hosting server administrators faced this issue where malicious script was run from the /tmp, probably despite of the noexec mount option.

There is a script that can delete perl, python scripts from /tmp. But it delete it based on the file name extension, not based on the content. If you have better script, please kindly share it.

cat /root/scripts/tmpmonitor/tmpmonitor
Code:
while true;do
find /tmp /var/tmp /dev/shm -type f \( -iname "*.pl" -o -iname "*.perl" -o -iname "*.sh" -o -iname "*.py" -o -iname "*.pyc" -o -iname "*.pyo" \) -delete
sleep 1
done
Create another script which you will ran for example every minute to check whether the previous script is running:

cat /root/scripts/tmpmonitor/tmpmonitor_keeprunning
Code:
touch /tmp/test.pl
sleep 3
if [ -f /tmp/test.pl ];then
/bin/sh /root/scripts/tmpmonitor/tmpmonitor &
fi

if [[ "$(ps aux|grep maldet|wc -l)" == "1" ]];then
/usr/local/sbin/maldet -m /tmp,/var/tmp,/dev/shm
fi
Note the "maldet" lines. The Maldet is another tool, that can watch yours defined directories for malware and remove it. This way we make sure maldet is running too.

Next step is to setup a cronjob that will run "tmpmonitor_keeprunning" script which is checking the "tmpmonitor" script itself. Do it by adding this line to some cron file in /etc/cron.d/:
Code:
* * * * * root /bin/sh /root/scripts/tmpmonitor/tmpmonitor_keeprunning
(cron file should have 600 permissions (chmod 600 file))