auditctl - 在伺服器上建立的文件

tag-icon tag-icon linux security apache-http-server php
auditctl - 在伺服器上建立的文件

我遇到了需要幫助的情況。我感謝任何反饋和幫助。

正在 public_html 中自動建立檔案 wp-signups.php。如果我刪除了該文件,它會立即重新建立。

我設定了auditctl,但我有時間解釋日誌以查看哪個腳本建立了該檔案。從auditctl我獲取pid並運行命令

ausearch -f /路徑.../wp-signups.php

但在結果中我沒有看到負責文件建立的實際腳本。以下是回覆的部分內容:

time->Mon Dec  6 09:45:02 2021 type=PATH msg=audit(1638801902.799:297632): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801902.799:297632):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801902.799:297632): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:04 2021 type=PATH msg=audit(1638801904.800:297634): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801904.800:297634): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801904.800:297634):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801904.800:297634): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:04 2021 type=PATH msg=audit(1638801904.800:297636): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801904.800:297636): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801904.800:297636):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801904.800:297636): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:04 2021 type=PATH msg=audit(1638801904.800:297637): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801904.800:297637):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801904.800:297637): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:06 2021 type=PATH msg=audit(1638801906.800:297641): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801906.800:297641): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801906.800:297641):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801906.800:297641): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:06 2021 type=PATH msg=audit(1638801906.801:297643): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801906.801:297643): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801906.801:297643):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801906.801:297643): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:06 2021 type=PATH msg=audit(1638801906.801:297644): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801906.801:297644):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801906.801:297644): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:08 2021 type=PATH msg=audit(1638801908.801:297646): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801908.801:297646): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801908.801:297646):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801908.801:297646): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:08 2021 type=PATH msg=audit(1638801908.801:297648): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801908.801:297648): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801908.801:297648):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801908.801:297648): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:08 2021 type=PATH msg=audit(1638801908.802:297649): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801908.802:297649):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801908.802:297649): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:10 2021 type=PATH msg=audit(1638801910.802:297651): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801910.802:297651): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801910.802:297651):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801910.802:297651): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:10 2021 type=PATH msg=audit(1638801910.802:297653): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801910.802:297653): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801910.802:297653):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801910.802:297653): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:10 2021 type=PATH msg=audit(1638801910.802:297654): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801910.802:297654):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801910.802:297654): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:12 2021 type=PATH msg=audit(1638801912.803:297656): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801912.803:297656): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801912.803:297656):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801912.803:297656): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:12 2021 type=PATH msg=audit(1638801912.803:297658): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801912.803:297658): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801912.803:297658):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801912.803:297658): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:12 2021 type=PATH msg=audit(1638801912.803:297659): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801912.803:297659):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801912.803:297659): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:14 2021 type=PATH msg=audit(1638801914.804:297661): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801914.804:297661): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801914.804:297661):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801914.804:297661): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:14 2021 type=PATH msg=audit(1638801914.804:297663): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801914.804:297663): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801914.804:297663):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801914.804:297663): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:14 2021 type=PATH msg=audit(1638801914.804:297664): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801914.804:297664):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801914.804:297664): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:16 2021 type=PATH msg=audit(1638801916.804:297666): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801916.804:297666): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801916.804:297666):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801916.804:297666): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:16 2021 type=PATH msg=audit(1638801916.804:297668): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801916.804:297668): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801916.804:297668):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801916.804:297668): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:16 2021 type=PATH msg=audit(1638801916.805:297669): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801916.805:297669):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801916.805:297669): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:18 2021 type=PATH msg=audit(1638801918.805:297671): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801918.805:297671): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801918.805:297671):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801918.805:297671): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:18 2021 type=PATH msg=audit(1638801918.805:297673): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801918.805:297673): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801918.805:297673):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801918.805:297673): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:18 2021 type=PATH msg=audit(1638801918.805:297674): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801918.805:297674):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801918.805:297674): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:20 2021 type=PATH msg=audit(1638801920.806:297676): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801920.806:297676): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801920.806:297676):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801920.806:297676): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:20 2021 type=PATH msg=audit(1638801920.806:297678): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801920.806:297678): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801920.806:297678):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801920.806:297678): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:20 2021 type=PATH msg=audit(1638801920.806:297679): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801920.806:297679):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801920.806:297679): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:22 2021 type=PATH msg=audit(1638801922.807:297681): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801922.807:297681): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801922.807:297681):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801922.807:297681): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:22 2021 type=PATH msg=audit(1638801922.807:297683): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801922.807:297683): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801922.807:297683):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801922.807:297683): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:22 2021 type=PATH msg=audit(1638801922.807:297684): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801922.807:297684):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801922.807:297684): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:24 2021 type=PATH msg=audit(1638801924.807:297686): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801924.807:297686): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801924.807:297686):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801924.807:297686): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:24 2021 type=PATH msg=audit(1638801924.808:297688): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801924.808:297688): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801924.808:297688):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801924.808:297688): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:24 2021 type=PATH msg=audit(1638801924.808:297689): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801924.808:297689):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801924.808:297689): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)

有人可以幫我辨識負責建立該文件的腳本嗎?謝謝。

答案1

但在結果中我沒有看到負責文件建立的實際腳本。以下是回覆的部分內容:

是的,因為該腳本不是作為獨立程式運行 - 它是由 Web 伺服器透過 FastCGI 運行。您看到的「php-fpm」是一個長期運行的 PHP FastCGI 服務;它在同一進程中處理許多 PHP 請求。

有人可以幫我辨識負責建立該文件的腳本嗎?謝謝。

您擁有發出 HTTP 請求的確切時間 - 在您的網站伺服器的存取日誌中搜尋該時間戳記。它們至少應包含所存取的 URL。

您也可以透過其在 PHP-FPM 中啟用相同的日誌記錄access.log =池選項在 PHP-FPM 中啟用相同的日誌記錄(注意:那就是不是php.ini 選項)。這將像網頁伺服器的 access.log 一樣運作,但還可以包含已執行的實際 PHP 腳本路徑(如果原始 URL 經過多層 RewriteRules,這將很有用)。

相關內容