Question

I apologize for the large post for a first timer. I've not been able to find a reason for the /tmp/phpXXX files created on my server. It seems that some sites (BAD GUY IP in the data below) are sending posts to my site for a Joomla vulnerability (I don't have Joomla installed). The attack tries to upload a gif file and then rename the gif file to a php file. The code in the "gif" file is a trojan control panel. I'm pretty sure that the attacker is unable to rename the gif file to a php file.

My question is how is the /tmp/phpXXX file being created on my site? Why does the /tmp/phpXXX file stick around? It seems that the image upload and rename is failing and therefore the temporary file should get cleaned up. I've tried to replicate the attacking posts against my site with no luck creating the /tmp/phpXXX file.

It seems that if I could understand why the /tmp/phpXXX files stick around it would help me understand if I have a real vulnerability on my site.

Thanks for reading!

MY site is hosted by Yahoo

I'm finding temporary files in the /tmp directory that are trojans. It looks like it is a Joomla JCE vulnerability attack (I don't have Joomla installed) see: http://forum.joomla.org/viewtopic.php?f=432&t=740054 The files created are random file names (ie phpXXX)

The files contain the following (I was able to remove the bad stuff between the tick marks)

GIF89aGiam
<?php eval(gzinflate(str_rot13(base64_decode('')))); ?> 

I correlated the /tmp/phpXXX files times to certain posts in my access.log file

Here are some recent posts...

BAD GUY IP - - [25/Feb/2014:22:09:15 -0800] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 200 12608 "-" "BOT/0.1 (BOT for JCE)" "www.MYSITE.com"
BAD GUY IP - - [25/Feb/2014:22:09:22 -0800] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 200 12608 "-" "BOT/0.1 (BOT for JCE)" "www.MYSITE.com"
BAD GUY IP - - [25/Feb/2014:22:10:03 -0800] "GET /images/stories/food.php?rf HTTP/1.1" 404 89 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" "www.MYSITE.com"
BAD GUY IP - - [25/Feb/2014:22:10:58 -0800] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 200 - "-" "BOT/0.1 (BOT for JCE)" "www.MYSITE.com"

I wrote some code to dump the data from the posts...

if (isset($_REQUEST['option'])) {
$today = date("D M j G:i:s T Y");
file_put_contents($hack_log_file, "\nDATE / TIME: ".$today."\n", FILE_APPEND);      
$serverInfo = $_SERVER['HTTP_REFERER'];
file_put_contents($hack_log_file, "\nHTTP_REFERER: ".$serverInfo."\n", FILE_APPEND);    
$serverInfo = $_SERVER['REMOTE_ADDR'];
file_put_contents($hack_log_file, "REMOTE_ADDR: ".$serverInfo."\n", FILE_APPEND);   
$serverInfo = $_SERVER['REMOTE_HOST'];
file_put_contents($hack_log_file, "REMOTE_HOST: ".$serverInfo."\n", FILE_APPEND);       
foreach ($_GET as $key => $value) {
file_put_contents($hack_log_file, "GET: ".$key." => ".$value."\n", FILE_APPEND);}       
foreach ($_POST as $key => $value) {
file_put_contents($hack_log_file, "POST: ".$key." => ".$value."\n", FILE_APPEND);}          
$results = print_r($_FILES, true); 
file_put_contents($hack_log_file, "FILES:\n".$results."\nEND FILES:\n", FILE_APPEND);}

Here are the results of my trapping the "attacks"...

DATE / TIME: Tue Feb 25 22:09:15 PST 2014

HTTP_REFERER: 
REMOTE_ADDR: BAD GUY IP
REMOTE_HOST: 
GET: option => com_jce
GET: task => plugin
GET: plugin => imgmanager
GET: file => imgmanager
GET: version => 1576
GET: cid => 20
POST: json => {\"fn\":\"folderRename\",\"args\":[\"/food.gif\",\"food.php\"]}
FILES:
    Array
    (
    )

END FILES:

DATE / TIME: Tue Feb 25 22:09:22 PST 2014

HTTP_REFERER: 
REMOTE_ADDR: BAD GUY IP
REMOTE_HOST: 
GET: option => com_jce
GET: task => plugin
GET: plugin => imgmanager
GET: file => imgmanager
GET: version => 1576
GET: cid => 20
POST: json => {\"fn\":\"folderRename\",\"args\":[\"/food.gif\",\"food.php\"]}
FILES:
    Array
    (
    )

HTTP_REFERER: 
REMOTE_ADDR: BAD GUY IP
REMOTE_HOST: 
GET: option => com_jce
GET: task => plugin
GET: plugin => imgmanager
GET: file => imgmanager
GET: method => form
GET: cid => 20
GET: 6bc427c8a7981f4fe1f5ac65c1246b5f => cf6dd3cf1923c950586d0dd595c8e20b
POST: upload-dir => /
POST: upload-overwrite => 0
POST: upload-name => food
POST: action => upload
FILES:
    Array
    (
    [Filedata] => Array
        (
            [name] => food.gif
            [type] => image/gif
            [tmp_name] => /tmp/phpR1KNP7
            [error] => 0
            [size] => 1524
        )

    )

END FILES:

DATE / TIME: Tue Feb 25 22:11:04 PST 2014

HTTP_REFERER: 
REMOTE_ADDR: BAD GUY IP
REMOTE_HOST: 
GET: option => com_jce
GET: task => plugin
GET: plugin => imgmanager
GET: file => imgmanager
GET: method => form
GET: cid => 20
GET: 6bc427c8a7981f4fe1f5ac65c1246b5f => cf6dd3cf1923c950586d0dd595c8e20b
POST: upload-dir => /
POST: upload-overwrite => 0
POST: upload-name => food
POST: action => upload
FILES:
    Array
    (
    [Filedata] => Array
        (
            [name] => food.gif
            [type] => image/gif
            [tmp_name] => /tmp/phpDUbonr
            [error] => 0
            [size] => 1524
        )

    )

END FILES:

No correct solution

OTHER TIPS

You mentioned Windows deleting the files. Is it possible your version of PHP is affected by PHP issue #68535?

Please comment back if the issue looks similar or not and if any of the suggested workarounds or configuration changes help.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top