Look like ur server vulnerable and attacker try runing reverse shell. Probably with msfconsole that it looks this way
*Best Regards,* Yaniv Haliwa 📞 +972-533020957 <+972533020957> 🌐 yanivhaliwa.com 🔗 LinkedIn <https://www.linkedin.com/in/yaniv-haliwa> 💻 GitHub <https://github.com/YanivHaliwa> 🎯 TryHackMe <https://tryhackme.com/r/p/YanivHaliwa> 🌍 Linktree <https://linktr.ee/YanivHaliwa> On Tue, Nov 18, 2025, 13:48 אורי <[email protected]> wrote: > Hi, > > I'm running a production server on Ubuntu 22.04.5 LTS hosted on > digitalocean (this droplet is running since 2023). Now, recently I saw some > strange files in /tmp that were not there before. These files contain the > string pymp: > > # find /tmp/ -ls |grep pymp > 3762 4 drwx------ 2 root root 4096 Nov 17 22:23 > /tmp/pymp-n7uodgt6 > 4045 0 srwxr-xr-x 1 root root 0 Nov 17 22:23 > /tmp/pymp-n7uodgt6/listener-0lcaibxe > 2210 4 drwx------ 2 root root 4096 Nov 17 18:18 > /tmp/pymp-fciod9wd > 2369 0 srwxr-xr-x 1 root root 0 Nov 17 18:18 > /tmp/pymp-fciod9wd/listener-fwhwjxcb > > What are these files and does in mean my server (droplet) has been cracked? > > There were more files like this which I deleted. > > Thanks, > Uri Rodberg, Speedy Net. > > אורי > [email protected] > _______________________________________________ > Linux-il mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ Linux-il mailing list -- [email protected] To unsubscribe send an email to [email protected]
