auditctl – 正在服务器上创建的文件

tag-icon tag-icon linux security apache-http-server php
auditctl – 正在服务器上创建的文件

我遇到了需要帮助的情况。我非常感谢您的反馈和帮助。

在 public_html 中会自动创建一个文件 wp-signups.php。如果我删除了该文件,它会立即重新创建。

我设置了 auditctl,但我有时间解释日志以查看哪个脚本创建了该文件。从 auditctl 中,我获取 pid 并运行命令

ausearch -f /路径.../wp-signups.php

但在结果中我没有看到负责创建文件的实际脚本。以下是部分响应:

time->Mon Dec  6 09:45:02 2021 type=PATH msg=audit(1638801902.799:297632): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801902.799:297632):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801902.799:297632): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:04 2021 type=PATH msg=audit(1638801904.800:297634): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801904.800:297634): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801904.800:297634):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801904.800:297634): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:04 2021 type=PATH msg=audit(1638801904.800:297636): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801904.800:297636): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801904.800:297636):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801904.800:297636): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:04 2021 type=PATH msg=audit(1638801904.800:297637): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801904.800:297637):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801904.800:297637): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:06 2021 type=PATH msg=audit(1638801906.800:297641): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801906.800:297641): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801906.800:297641):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801906.800:297641): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:06 2021 type=PATH msg=audit(1638801906.801:297643): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801906.801:297643): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801906.801:297643):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801906.801:297643): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:06 2021 type=PATH msg=audit(1638801906.801:297644): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801906.801:297644):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801906.801:297644): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:08 2021 type=PATH msg=audit(1638801908.801:297646): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801908.801:297646): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801908.801:297646):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801908.801:297646): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:08 2021 type=PATH msg=audit(1638801908.801:297648): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801908.801:297648): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801908.801:297648):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801908.801:297648): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:08 2021 type=PATH msg=audit(1638801908.802:297649): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801908.802:297649):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801908.802:297649): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:10 2021 type=PATH msg=audit(1638801910.802:297651): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801910.802:297651): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801910.802:297651):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801910.802:297651): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:10 2021 type=PATH msg=audit(1638801910.802:297653): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801910.802:297653): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801910.802:297653):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801910.802:297653): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:10 2021 type=PATH msg=audit(1638801910.802:297654): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801910.802:297654):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801910.802:297654): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:12 2021 type=PATH msg=audit(1638801912.803:297656): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801912.803:297656): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801912.803:297656):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801912.803:297656): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:12 2021 type=PATH msg=audit(1638801912.803:297658): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801912.803:297658): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801912.803:297658):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801912.803:297658): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:12 2021 type=PATH msg=audit(1638801912.803:297659): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801912.803:297659):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801912.803:297659): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:14 2021 type=PATH msg=audit(1638801914.804:297661): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801914.804:297661): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801914.804:297661):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801914.804:297661): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:14 2021 type=PATH msg=audit(1638801914.804:297663): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801914.804:297663): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801914.804:297663):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801914.804:297663): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:14 2021 type=PATH msg=audit(1638801914.804:297664): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801914.804:297664):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801914.804:297664): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:16 2021 type=PATH msg=audit(1638801916.804:297666): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801916.804:297666): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801916.804:297666):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801916.804:297666): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:16 2021 type=PATH msg=audit(1638801916.804:297668): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801916.804:297668): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801916.804:297668):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801916.804:297668): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:16 2021 type=PATH msg=audit(1638801916.805:297669): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801916.805:297669):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801916.805:297669): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:18 2021 type=PATH msg=audit(1638801918.805:297671): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801918.805:297671): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801918.805:297671):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801918.805:297671): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:18 2021 type=PATH msg=audit(1638801918.805:297673): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801918.805:297673): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801918.805:297673):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801918.805:297673): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:18 2021 type=PATH msg=audit(1638801918.805:297674): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801918.805:297674):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801918.805:297674): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:20 2021 type=PATH msg=audit(1638801920.806:297676): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801920.806:297676): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801920.806:297676):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801920.806:297676): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:20 2021 type=PATH msg=audit(1638801920.806:297678): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801920.806:297678): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801920.806:297678):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801920.806:297678): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:20 2021 type=PATH msg=audit(1638801920.806:297679): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801920.806:297679):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801920.806:297679): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:22 2021 type=PATH msg=audit(1638801922.807:297681): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801922.807:297681): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801922.807:297681):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801922.807:297681): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:22 2021 type=PATH msg=audit(1638801922.807:297683): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801922.807:297683): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801922.807:297683):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801922.807:297683): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:22 2021 type=PATH msg=audit(1638801922.807:297684): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801922.807:297684):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801922.807:297684): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:24 2021 type=PATH msg=audit(1638801924.807:297686): item=1 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100444 ouid=ev=00:00 nametype=DELETE type=PATH msg=audit(1638801924.807:297686): item=0 name="/home/enotal1/public_html" inode=15046856 dev=08:18 mode=04gid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801924.807:297686):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801924.807:297686): arch=c000003e syscall=87 success=yes exit=0 a0=2b439fe87c70 a1=1 a2=22b439f6ca900 items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=5y=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:24 2021 type=PATH msg=audit(1638801924.808:297688): item=1 name="/home/enotal1/public_html/wp-signups.php" inode=15046885 de00644 ouid=500 ogid=500 rdev=00:00 nametype=CREATE type=PATH msg=audit(1638801924.808:297688): item=0 name="/home/enotal1/public_html/" inode=15046856 dev=08:18 mode=0ogid=99 rdev=00:00 nametype=PARENT type=CWD msg=audit(1638801924.808:297688):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801924.808:297688): arch=c000003e syscall=2 success=yes exit=6 a0=7ffc885a4570 a1=241 a2=70772f6c items=2 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fone) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)
---- time->Mon Dec  6 09:45:24 2021 type=PATH msg=audit(1638801924.808:297689): item=0 name="wp-signups.php" inode=15046885 dev=08:18 mode=0100644 ouid=ev=00:00 nametype=NORMAL type=CWD msg=audit(1638801924.808:297689):  cwd="/home/enotal1/public_html" type=SYSCALL msg=audit(1638801924.808:297689): arch=c000003e syscall=90 success=yes exit=0 a0=2b439fe87c70 a1=124 a23=2b439f6ca900 items=1 ppid=26899 pid=6638 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgidtty=(none) ses=4294967295 comm="php-fpm" exe="/opt/cpanel/ea-php74/root/usr/sbin/php-fpm" key=(null)

有人能帮我找出负责创建该文件的脚本吗?谢谢。

答案1

但在结果中我没有看到负责创建文件的实际脚本。以下是部分响应:

是的,因为该脚本不是作为独立程序运行的 – 它由 Web 服务器通过 FastCGI 运行。您看到的“php-fpm”是一个长期运行的 PHP FastCGI 服务;它在同一进程中处理许多 PHP 请求。

有人能帮我找出负责创建该文件的脚本吗?谢谢。

您知道发出 HTTP 请求的确切时间 – 搜索 Web 服务器的访问日志以查找该时间戳。它们至少应包含所访问的 URL。

您还可以通过 PHP-FPM 的access.log =池选项启用相同的日志记录(注意:这是不是php.ini 选项)。它的工作方式类似于 Web 服务器的 access.log,但还可以包含实际执行的 PHP 脚本路径(如果原始 URL 经过了多层 RewriteRules,这将非常有用)。

相关内容