助けが必要な状況があります。フィードバックや助けをいただければ幸いです。
wp-signups.php というファイルが public_html に自動的に作成されています。このファイルを削除しても、すぐに再作成されます。
私はauditctlを設定しましたが、どのスクリプトがファイルを作成したかを確認するためにログを解釈するのに時間がかかりました。auditctlからpidを取得し、コマンドを実行します。
ausearch -f /path.../wp-signups.php
しかし、結果にはファイル作成を担当する実際のスクリプトは表示されません。以下は応答の一部です。
time->Mon Dec 6 09:45:02 2021 type=PATH msg=audit(1638801902.799:297632): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801902.799:297632): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801902.799:297632): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:04 2021 type=PATH msg=audit(1638801904.800:297634): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801904.800:297634): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801904.800:297634): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801904.800:297634): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:04 2021 type=PATH msg=audit(1638801904.800:297636): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801904.800:297636): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801904.800:297636): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801904.800:297636): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:04 2021 type=PATH msg=audit(1638801904.800:297637): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801904.800:297637): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801904.800:297637): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:06 2021 type=PATH msg=audit(1638801906.800:297641): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801906.800:297641): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801906.800:297641): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801906.800:297641): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:06 2021 type=PATH msg=audit(1638801906.801:297643): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801906.801:297643): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801906.801:297643): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801906.801:297643): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:06 2021 type=PATH msg=audit(1638801906.801:297644): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801906.801:297644): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801906.801:297644): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:08 2021 type=PATH msg=audit(1638801908.801:297646): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801908.801:297646): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801908.801:297646): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801908.801:297646): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:08 2021 type=PATH msg=audit(1638801908.801:297648): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801908.801:297648): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801908.801:297648): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801908.801:297648): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:08 2021 type=PATH msg=audit(1638801908.802:297649): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801908.802:297649): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801908.802:297649): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:10 2021 type=PATH msg=audit(1638801910.802:297651): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801910.802:297651): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801910.802:297651): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801910.802:297651): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:10 2021 type=PATH msg=audit(1638801910.802:297653): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801910.802:297653): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801910.802:297653): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801910.802:297653): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:10 2021 type=PATH msg=audit(1638801910.802:297654): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801910.802:297654): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801910.802:297654): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:12 2021 type=PATH msg=audit(1638801912.803:297656): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801912.803:297656): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801912.803:297656): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801912.803:297656): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:12 2021 type=PATH msg=audit(1638801912.803:297658): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801912.803:297658): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801912.803:297658): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801912.803:297658): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:12 2021 type=PATH msg=audit(1638801912.803:297659): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801912.803:297659): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801912.803:297659): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:14 2021 type=PATH msg=audit(1638801914.804:297661): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801914.804:297661): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801914.804:297661): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801914.804:297661): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:14 2021 type=PATH msg=audit(1638801914.804:297663): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801914.804:297663): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801914.804:297663): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801914.804:297663): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:14 2021 type=PATH msg=audit(1638801914.804:297664): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801914.804:297664): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801914.804:297664): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:16 2021 type=PATH msg=audit(1638801916.804:297666): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801916.804:297666): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801916.804:297666): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801916.804:297666): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:16 2021 type=PATH msg=audit(1638801916.804:297668): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801916.804:297668): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801916.804:297668): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801916.804:297668): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:16 2021 type=PATH msg=audit(1638801916.805:297669): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801916.805:297669): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801916.805:297669): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:18 2021 type=PATH msg=audit(1638801918.805:297671): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801918.805:297671): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801918.805:297671): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801918.805:297671): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:18 2021 type=PATH msg=audit(1638801918.805:297673): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801918.805:297673): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801918.805:297673): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801918.805:297673): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:18 2021 type=PATH msg=audit(1638801918.805:297674): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801918.805:297674): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801918.805:297674): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:20 2021 type=PATH msg=audit(1638801920.806:297676): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801920.806:297676): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801920.806:297676): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801920.806:297676): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:20 2021 type=PATH msg=audit(1638801920.806:297678): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801920.806:297678): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801920.806:297678): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801920.806:297678): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:20 2021 type=PATH msg=audit(1638801920.806:297679): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801920.806:297679): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801920.806:297679): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:22 2021 type=PATH msg=audit(1638801922.807:297681): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801922.807:297681): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801922.807:297681): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801922.807:297681): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:22 2021 type=PATH msg=audit(1638801922.807:297683): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801922.807:297683): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801922.807:297683): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801922.807:297683): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:22 2021 type=PATH msg=audit(1638801922.807:297684): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801922.807:297684): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801922.807:297684): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:24 2021 type=PATH msg=audit(1638801924.807:297686): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801924.807:297686): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801924.807:297686): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801924.807:297686): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:24 2021 type=PATH msg=audit(1638801924.808:297688): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801924.808:297688): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801924.808:297688): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801924.808:297688): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec 6 09:45:24 2021 type=PATH msg=audit(1638801924.808:297689): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801924.808:297689): cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801924.808:297689): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
誰か、そのファイルを作成したスクリプトを特定するのを手伝ってくれませんか? よろしくお願いします。
答え1
しかし、結果にはファイル作成を担当する実際のスクリプトは表示されません。以下は応答の一部です。
はい、そのスクリプトはスタンドアロン プログラムとして実行されているのではなく、FastCGI を介して Web サーバーによって実行されているからです。表示されている「php-fpm」は、長時間実行される PHP FastCGI サービスであり、同じプロセスで多くの PHP リクエストを処理します。
誰か、そのファイルを作成したスクリプトを特定するのを手伝ってくれませんか? よろしくお願いします。
HTTP リクエストが行われた正確な時刻がわかっている場合は、Web サーバーのアクセス ログでそのタイムスタンプを検索してください。少なくとも、アクセスされた URL が含まれている必要があります。
PHP-FPMのプールオプションで同じログを有効にすることもできますaccess.log =
(注:ないphp.ini オプション)。これは、Web サーバーの access.log のように機能しますが、実行された実際の PHP スクリプト パスを追加で含めることができます (元の URL が RewriteRules の多くのレイヤーを通過している場合に便利です)。