Re: Ubuntu - new files in /tmp

Mon, 17 Nov 2025 23:18:18 -0800 

‎ּTry something like: lsof | grep /tmp/pymp-n7uodgt6
You will see if a program is currently using any of these files so you can
see what program created it.
I don't think this means a system hack.

-- 
Ori Kuttner CEO Helicon Books
http://www.heliconbooks.com





On Tue, Nov 18, 2025 at 9:02 AM Yaniv Haliwa <[email protected]> wrote:

> Look like ur server vulnerable and attacker try runing reverse shell.
> Probably with msfconsole that it looks this way
>
>
> *Best Regards,*
>
> Yaniv Haliwa
>
> 📞 +972-533020957 <+972533020957>
>
> 🌐 yanivhaliwa.com
>
> 🔗 LinkedIn <https://www.linkedin.com/in/yaniv-haliwa>
>
> 💻 GitHub <https://github.com/YanivHaliwa>
>
> 🎯 TryHackMe <https://tryhackme.com/r/p/YanivHaliwa>
>
> 🌍 Linktree <https://linktr.ee/YanivHaliwa>
>
>
> On Tue, Nov 18, 2025, 13:48 אורי <[email protected]> wrote:
>
>> Hi,
>>
>> I'm running a production server on Ubuntu 22.04.5 LTS hosted on
>> digitalocean (this droplet is running since 2023). Now, recently I saw some
>> strange files in /tmp that were not there before. These files contain the
>> string pymp:
>>
>> # find /tmp/ -ls |grep pymp
>>      3762      4 drwx------   2 root     root         4096 Nov 17 22:23
>> /tmp/pymp-n7uodgt6
>>      4045      0 srwxr-xr-x   1 root     root            0 Nov 17 22:23
>> /tmp/pymp-n7uodgt6/listener-0lcaibxe
>>      2210      4 drwx------   2 root     root         4096 Nov 17 18:18
>> /tmp/pymp-fciod9wd
>>      2369      0 srwxr-xr-x   1 root     root            0 Nov 17 18:18
>> /tmp/pymp-fciod9wd/listener-fwhwjxcb
>>
>> What are these files and does in mean my server (droplet) has been
>> cracked?
>>
>> There were more files like this which I deleted.
>>
>> Thanks,
>> Uri Rodberg, Speedy Net.
>>
>> אורי
>> [email protected]
>> _______________________________________________
>> Linux-il mailing list -- [email protected]
>> To unsubscribe send an email to [email protected]
>>
> _______________________________________________
> Linux-il mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
>

_______________________________________________
Linux-il mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to