-1

The /tmp folder on a PHP server keeps filling up with files like these

-rw-------  1 user 5242880 Mar 16 04:32 php3FruGk
-rw-------  1 user 5242880 Mar 16 04:32 php4CsNMh
-rw-------  1 user 5242880 Mar 16 04:32 php4iEwia
-rw-------  1 user 5242880 Mar 16 04:32 php4NpfIo
-rw-------  1 user 5242880 Mar 16 04:32 php7PUmhu

What creates those? It just started happening last week, and the server has issues when /tmp is full. They contain unfamiliar text. What type of encoding is this?

«¾^O"ô<96><83>³E¨<9d>^X$^[,^[Si<8c>¤vB϶<8c>t2_%&)ü<9d>&<9e><8f><93>sª<88>sâZ.Ö<84>!¯^Dx³^M+<87>dÛÖ^VºV^AY<97>Ùp
g000m
  • 125
  • 1
  • 12
  • 1
    How many with the same timestamp? Check access log and try to correlate these times with ones found in access log? Each of those is approx 5Mb so have you got a file upload script that is perhaps not working correctly? – Professor Abronsius Mar 16 '22 at 17:12
  • Around 20 occurred at 4:32, in a span of about 10 seconds. They appear to correlate with a cron process that perhaps timed out. The cron http request ran for several minutes, and logged its timestamp 04:30 after another log entry at 04:32 before failing with a 500. I'm not sure what it would be doing that generated so much data. – g000m Mar 16 '22 at 18:06

2 Answers2

0

They are not necessarily files generated by a PHP script, but they can be.

If there are several dozen files with the same timestamp, a process writes them in a loop.

And maybe their name begins to suggest PHP session files.

Check process that have same user than theses files and verify it is an authorized process.

You can use this to try to identify the process using /tmp :

cd /tmp
fuser -v .
Alaindeseine
  • 3,260
  • 1
  • 11
  • 21
0

It turned out that a cron backup job was coinciding with these files being created. I cleared out some large tables, and the problem stopped.

g000m
  • 125
  • 1
  • 12