auditctl - 서버에 생성되는 파일

tag-icon tag-icon linux security apache-http-server php
auditctl - 서버에 생성되는 파일

도움이 필요한 상황이 생겼습니다. 피드백과 도움을 주시면 감사하겠습니다.

wp-signups.php 파일이 public_html에 자동으로 생성됩니다. 파일을 삭제하면 즉시 다시 생성됩니다.

auditctl을 설정했지만 파일이 생성된 스크립트를 확인하기 위해 로그를 해석하는 데 시간이 걸렸습니다. auditctl에서 pid를 얻고 명령을 실행합니다.

ausearch -f /경로.../wp-signups.php

그러나 결과에는 파일 생성을 담당하는 실제 스크립트가 표시되지 않습니다. 다음은 응답의 일부입니다.

time->Mon Dec  6 09:45:02 2021 type=PATH msg=audit(1638801902.799:297632): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801902.799:297632):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801902.799:297632): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:04 2021 type=PATH msg=audit(1638801904.800:297634): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801904.800:297634): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801904.800:297634):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801904.800:297634): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:04 2021 type=PATH msg=audit(1638801904.800:297636): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801904.800:297636): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801904.800:297636):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801904.800:297636): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:04 2021 type=PATH msg=audit(1638801904.800:297637): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801904.800:297637):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801904.800:297637): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:06 2021 type=PATH msg=audit(1638801906.800:297641): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801906.800:297641): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801906.800:297641):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801906.800:297641): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:06 2021 type=PATH msg=audit(1638801906.801:297643): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801906.801:297643): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801906.801:297643):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801906.801:297643): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:06 2021 type=PATH msg=audit(1638801906.801:297644): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801906.801:297644):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801906.801:297644): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:08 2021 type=PATH msg=audit(1638801908.801:297646): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801908.801:297646): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801908.801:297646):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801908.801:297646): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:08 2021 type=PATH msg=audit(1638801908.801:297648): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801908.801:297648): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801908.801:297648):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801908.801:297648): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:08 2021 type=PATH msg=audit(1638801908.802:297649): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801908.802:297649):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801908.802:297649): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:10 2021 type=PATH msg=audit(1638801910.802:297651): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801910.802:297651): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801910.802:297651):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801910.802:297651): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:10 2021 type=PATH msg=audit(1638801910.802:297653): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801910.802:297653): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801910.802:297653):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801910.802:297653): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:10 2021 type=PATH msg=audit(1638801910.802:297654): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801910.802:297654):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801910.802:297654): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:12 2021 type=PATH msg=audit(1638801912.803:297656): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801912.803:297656): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801912.803:297656):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801912.803:297656): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:12 2021 type=PATH msg=audit(1638801912.803:297658): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801912.803:297658): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801912.803:297658):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801912.803:297658): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:12 2021 type=PATH msg=audit(1638801912.803:297659): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801912.803:297659):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801912.803:297659): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:14 2021 type=PATH msg=audit(1638801914.804:297661): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801914.804:297661): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801914.804:297661):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801914.804:297661): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:14 2021 type=PATH msg=audit(1638801914.804:297663): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801914.804:297663): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801914.804:297663):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801914.804:297663): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:14 2021 type=PATH msg=audit(1638801914.804:297664): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801914.804:297664):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801914.804:297664): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:16 2021 type=PATH msg=audit(1638801916.804:297666): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801916.804:297666): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801916.804:297666):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801916.804:297666): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:16 2021 type=PATH msg=audit(1638801916.804:297668): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801916.804:297668): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801916.804:297668):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801916.804:297668): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:16 2021 type=PATH msg=audit(1638801916.805:297669): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801916.805:297669):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801916.805:297669): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:18 2021 type=PATH msg=audit(1638801918.805:297671): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801918.805:297671): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801918.805:297671):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801918.805:297671): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:18 2021 type=PATH msg=audit(1638801918.805:297673): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801918.805:297673): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801918.805:297673):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801918.805:297673): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:18 2021 type=PATH msg=audit(1638801918.805:297674): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801918.805:297674):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801918.805:297674): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:20 2021 type=PATH msg=audit(1638801920.806:297676): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801920.806:297676): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801920.806:297676):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801920.806:297676): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:20 2021 type=PATH msg=audit(1638801920.806:297678): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801920.806:297678): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801920.806:297678):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801920.806:297678): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:20 2021 type=PATH msg=audit(1638801920.806:297679): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801920.806:297679):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801920.806:297679): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:22 2021 type=PATH msg=audit(1638801922.807:297681): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801922.807:297681): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801922.807:297681):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801922.807:297681): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:22 2021 type=PATH msg=audit(1638801922.807:297683): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801922.807:297683): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801922.807:297683):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801922.807:297683): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:22 2021 type=PATH msg=audit(1638801922.807:297684): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801922.807:297684):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801922.807:297684): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:24 2021 type=PATH msg=audit(1638801924.807:297686): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801924.807:297686): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801924.807:297686):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801924.807:297686): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:24 2021 type=PATH msg=audit(1638801924.808:297688): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801924.808:297688): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801924.808:297688):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801924.808:297688): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:24 2021 type=PATH msg=audit(1638801924.808:297689): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801924.808:297689):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801924.808:297689): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)

누군가 해당 파일을 생성한 스크립트를 식별하도록 도와줄 수 있습니까? 감사합니다.

답변1

그러나 결과에는 파일 생성을 담당하는 실제 스크립트가 표시되지 않습니다. 다음은 응답의 일부입니다.

예, 해당 스크립트는 독립형 프로그램으로 실행되지 않고 FastCGI를 통해 웹 서버에서 실행되기 때문입니다. 보고 있는 "php-fpm"은 오랫동안 실행되는 PHP FastCGI 서비스입니다. 동일한 프로세스에서 많은 PHP 요청을 처리합니다.

누군가 해당 파일을 생성한 스크립트를 식별하도록 도와줄 수 있습니까? 감사합니다.

HTTP 요청이 이루어진 정확한 시간을 알고 있습니다. 웹 서버의 액세스 로그에서 해당 타임스탬프를 검색하세요. 최소한 액세스된 URL이 포함되어 있어야 합니다.

풀 옵션 을 통해 PHP-FPM에서 동일한 로깅을 추가로 활성화할 수 있습니다 access.log =(참고:~ 아니다php.ini 옵션). 이는 웹서버의 access.log처럼 작동하지만 실행된 실제 PHP 스크립트 경로를 추가로 포함할 수 있습니다(원래 URL이 RewriteRules의 여러 레이어를 거친 경우 유용함).

관련 정보