Sometimes its very frustating to find how the suspicious files are stored in /tmp directory. How can I find out who put it there? Since this file is in /tmp directory, it was most likely put there by a vulnerable Php script.
Look into the access log file(s) in /usr/local/apache/domlogs directory for the file “psync.txt” and see if you can find the site that was used to upload the file to your server .
Use the following command at the prompt:
- grep -i
- /usr/local/apache/domlogs/*
OR
- grep -i
- PATH_TO_APACHE_domlogs/*