How to decipher audit logs, debian and find where the script is run?


Warning: count(): Parameter must be an array or an object that implements Countable in /home/styllloz/public_html/qa-theme/donut-theme/qa-donut-layer.php on line 274
0 like 0 dislike
12 views
There is a piece of the auditing system, it happens the idea is "illegal" but I don't know how to find out where the script is run, the folder and file "/tmp/r.sh" well, no, or I can't find:

(PS. -i to ausearch really does not change anything )

type=SYSCALL msg=audit(1524920677.244:1631980): arch=c000003e syscall=59 success=yes exit=0 a0=a1 7fff0849fed0=7fff0849e760 a2=a3 7fff0849e770=5b5 items=3 ppid=1 pid=12237 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=fsgid 33=33 tty=(none) ses=4294967295 comm="r.sh" exe="/bin/bash" key="webserver-watch-tmp"
type=EXECVE msg=audit(1524920677.244:1631980): argc=2 a0="/bin/bash" a1="/tmp/r.sh"
type=EXECVE msg=audit(1524920677.244:1631980): argc=1, a0="/bin/bash"
type=CWD msg=audit(1524920677.244:1631980): cwd="/var/www/username/data/www/folder address of the site"
type=PATH msg=audit(1524920677.244:1631980): item=0 name="/tmp/r.sh" inode=57543177 dev=fd:01 mode=0100755 ouid=33 ogid=33 rdev=00:00
type=PATH msg=audit(1524920677.244:1631980): item=1 name=(null) inode=42459137 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1524920677.244:1631980): item=2 name=(null) inode=27025442 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
by | 12 views

1 Answer

0 like 0 dislike
and why he's supposed to be elementary could be run to clean up
by

Related questions

0 like 0 dislike
1 answer
0 like 0 dislike
2 answers
0 like 0 dislike
4 answers
asked Apr 5, 2019 by HighMan
110,608 questions
257,187 answers
0 comments
40,796 users