At the root of the site periodically appears the temp folder with incomprehensible files. I think that this kind of shell creates it to fill the disk's memory. I delete it, and the next day it is re-created and again incomprehensible files in it.

I looked on the network what it could be for the folder. I learned that many programs create it for reports and other data. How can I clarify if the server program does this or is the shell flooded to the server?

For example, file example.com/temp/u/d3d3LmZsYXRvdXIuY29tL215YWR2cy9ydS8%3D.tx‌​t contains only the line

 dHJlYXN1cmV0b3duLzQ1NDg3NDUyOTQzMjMv

And this folder consists only of such files. My server is Centos6, VPS, ISPmanager panel, nginx, memcached, clamav is on.

  • Incomprehensible folder and files - a very streamlined formulation. Please specify the file names and examples of the content. - VenZell
  • For example, the contents of the file example.com/temp/u/d3d3LmZsYXRvdXIuY29tL215YWR2cy9ydS8%3D.txt dHJlYXN1cmV0b3duLzQ1NDg3NDUyOTQzMjMM - Hasanagha Aliyev
  • The file name and content is a base64 encoded string. The file name contains the following link: www.flatour.com/myadvs/ru/ , and the content after decryption is: treasuretown/4548745294323/ - VenZell
  • And what does it mean? Yes, this is the site where these problems are ... But the question is still valid ... what creates these files - Hasanagha Aliyev
  • It seems that treasuretown is part of this url: http://item.rakuten.co.jp/treasuretown/4548745294323/ . Perhaps from your site sell links. Check site files manul - VenZell

2 answers 2

You can try running the lsof command, which displays which program is currently opening the file. It works like this:

 $ lsof /path/to/file

You can run with a period of 1 second:

 $ lsof -r1 /path/to/file

Well, log it all to a file. If you do not want to keep the ssh session open, you can use some gnu screen or a similar program.

If the program works out too quickly and it will not be possible to catch it using these logs, then you can make it quite a crutch to run as often as possible.

 $ while true; do lsof /paht/to/file; done;
  • tried lsof ... no results - Hasanagha Aliyev
  • 2
    @HasanaghaAliyev lsof only shows at the current moment, you need to run it for a while. For a day, for example. Then analyze logs through grep, for example - FeroxTL
  • I apologize ... incorrectly inserted the code, there is little experience in ssh ... corrected, now Permission denied displays - Hasanagha Aliyev
  • @HasanaghaAliyev, this code can be safely run as an administrator. su or sudo su try, I don’t know much about centos - FeroxTL
  • gives out does not exist - Hasanagha Aliyev

The auditd package can help. Example:

 # auditctl -w /temp # mkdir /temp # mkdir /temp/u # ausearch -f /temp ---- time->Mon Aug 29 16:32:43 2016 type=CONFIG_CHANGE msg=audit(1472473963.517:46): auid=4294967295 ses=4294967295 op="updated_rules" path="/temp" key=(null) list=4 res=1 ---- time->Mon Aug 29 16:32:43 2016 type=PROCTITLE msg=audit(1472473963.489:47): proctitle=6D6B646972002F74656D70 type=PATH msg=audit(1472473963.489:47): item=1 name="/temp" inode=10691 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=CREATE type=PATH msg=audit(1472473963.489:47): item=0 name="/" inode=2 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT type=CWD msg=audit(1472473963.489:47): cwd=2F686F6D652F73657267696F2F456CC59D75746F6A type=SYSCALL msg=audit(1472473963.489:47): arch=40000003 syscall=39 success=yes exit=0 a0=bf82f7a3 a1=1ff a2=bf82f7a3 a3=bf82ee64 items=2 ppid=22390 pid=24813 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts8 ses=4294967295 comm="mkdir" exe="/bin/mkdir" key=(null) ---- time->Mon Aug 29 16:34:21 2016 type=PROCTITLE msg=audit(1472474061.417:71): proctitle=6D6B646972002F74656D702F75 type=PATH msg=audit(1472474061.417:71): item=1 name="/temp/u" inode=10693 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=CREATE type=PATH msg=audit(1472474061.417:71): item=0 name="/temp/" inode=10691 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT type=CWD msg=audit(1472474061.417:71): cwd=2F686F6D652F73657267696F2F456CC59D75746F6A type=SYSCALL msg=audit(1472474061.417:71): arch=40000003 syscall=39 success=yes exit=0 a0=bfe2c7a1 a1=1ff a2=bfe2c7a1 a3=bfe2a9a4 items=2 ppid=22390 pid=24846 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts8 ses=4294967295 comm="mkdir" exe="/bin/mkdir" key=(null)