Temporary file security threat?

Question

We use CentOS.

We've been hacked and trying to figure out why. Looking at the /tmp folder I'm wondering if these are security threats:

-rw-rw----  1 mysql    mysql    11665408 Apr  3 18:59 #sql_6bc_0.MYD
-rw-rw----  1 mysql    mysql        1024 Apr  3 18:59 #sql_6bc_0.MYI
drwxrwxrwt  5 root     root       647168 Apr  3 18:59 ./
dr-xr-xr-x 25 root     root         4096 Mar 31 19:34 ../
drwxrwxrwt  2 root     root         4096 Mar 31 19:34 .ICE-unix/
-rw-------  1 cpanel   cpanel          0 Dec  3 11:18 .ftpquota
-rw-------  1 root     root            1 Mar 18 00:19 cache_03ccc987bb84ad942c7bdc1b37a1d5af
-rw-------  1 root     root            1 Mar 18 00:19 cache_0f1ff313f7d5dc65958843d70148d9f6
-rw-------  1 root     root            1 Mar 18 00:19 cache_3ebbab63ff1d3bffdaddb17747049f2d
-rw-------  1 root     root          581 Mar 14 00:46 cache_5a3dafb5b1cf70a9b76b7e70107b3ba0
-rw-------  1 root     root            1 Mar 18 00:19 cache_763860a21a94412ffb8081c5efb43196
-rw-------  1 root     root            1 Mar 18 00:19 cache_85daced7c4de2f5a2c332a7d8a7a3803
-rw-------  1 root     root            1 Mar 18 00:19 cache_8c1e2d0573ed1f99fd247768110f872f
-rw-------  1 root     root        16093 Mar 18 00:19 cache_b9813b3134c6afdd77d72c595ebda25d
-rw-------  1 root     root          440 Mar 18 00:19 horde_cache_gc
-rwxr-xr-x  1 root     root        34087 May 16  2013 latest*
lrwxrwxrwx  1 root     root           27 Dec  3 11:15 mysql.sock -> ../var/lib/mysql/mysql.sock=
drwxr-xr-x  3 root     root         4096 Dec  3 11:31 pear/
-rw-------  1 user user   122856 Mar 31 00:13 php9YFHLD
-rw-------  1 user user           0 Apr  3 18:38 sess_00257f10fae6be00b90d5ba805ad30af
-rw-------  1 user user           0 Apr  3 18:58 sess_003d98e029b3d2c0fab09d926c0dd761
-rw-------  1 user user           0 Apr  3 18:59 sess_0047577f2d01487f4fa75724d0b3f7ee
-rw-------  1 user user           0 Apr  3 18:58 sess_0070e5da229b113786f64f39cae87daf
-rw-------  1 user user           0 Apr  3 18:59 sess_0077dea73523b2548e8eb100ff76359f
-rw-------  1 user user           0 Apr  3 18:46 sess_00882cd396bd3452665c9d973918afdb
-rw-------  1 user user           0 Apr  3 18:46 sess_00b82f19cf9a685d1aceeb7f70de6608
-rw-------  1 user user           0 Apr  3 18:50 sess_00d77c2027af0c19151a1b99021f3758
-rw-------  1 user user           0 Apr  3 18:51 sess_0108c3a1bd1f79e0aa0b27045e23ea08
-rw-------  1 user user           0 Apr  3 18:53 sess_011637bd373ae7cffb2725820d89fd5a
-rw-------  1 user user           0 Apr  3 18:43 sess_0131292a1d637c2317dcaafed09df456

Was wondering why so many of them are run by root? Why are some of them still there after so many days?

I heard about tmp files being a vulnerability. How should I monitor the /tmp files?

score 2 · Answer 1 · answered Apr 04 '14 at 02:24

2

Those are cache files from MySQL and PHP sessions. No concerns there.

If you're that worried about /tmp, add noexec,nodev,nosuid to the options column for /tmp in /etc/fstab. That will stop anything from being executed on that volume.

Try looking for files modified in the last X days:

find /etc -iname "*.conf" -mtime -1 -print

answered Apr 04 '14 at 02:24

Vasili Syrakis

4,435
3
21
29

I tried to look for this line: UUID=0aef28b9-3d11-4ab4-a0d4-d53d7b4d3aa4 /tmp ext4 defaults 1 2 in /etc/fstab, however it does not exist. Only a line with none /dev/pts devpts rw 0 0 exist in this file. What am I missing? – user1397652 Apr 04 '14 at 03:55

Temporary file security threat?

1 Answers1