I've been running ISPPROTECT for some time and generally pleased but its been throwing some files at me: /var/www/clients/client0/web8/tmp/phpEcnjy4 {HEX}Malware.Expert.generic.eval.post.0 /var/www/clients/client0/web8/tmp/phpSJMwWe {HEX}Malware.Expert.generic.eval.post.0 /var/www/clients/client0/web8/tmp/phpdf4o7u {HEX}Malware.Expert.generic.eval.post.0 /var/www/clients/client0/web8/tmp/phpfMMA8L {HEX}Malware.Expert.generic.eval.post.0 /var/www/clients/client0/web8/tmp/phpfU7Yv9 {HEX}Malware.Expert.generic.eval.post.0 /var/www/clients/client0/web8/tmp/phpltRopL {HEX}Malware.Expert.generic.eval.post.0 now these seem to be undoubtedly malicious - but I'm trying to determine WHERE they are coming from?? web8 site is up to date no outdated plugins that I can determine. and the tmp folder has these files plus the usual session files. I've been told its safe to delete the php* files - but I want to understand where they are coming from so I can prevent these from being dropped! anyone run into these kind of warnings?
There must be some kind of security problem in this website then, it might be that the CMS or plugin authors have not fixed them yet. To find out how the files get injected, look into the access.log file of the website and search for POST requests that look unusual to you.
In this case I think it is a normal upload feature that stores temporary files inside this directory, but does not discard them after checking. So I think attackers try to upload malicious files through an uploader but fail because of file type and name checking in the uploader script. You'll have to investigate creation times and check the corresponding access logs to find out which upload form is used.
