CSF Firewall cpanel Suspicious File Alert /dev/shm/set
csf Reason: Linux Binary - warning: Suspicious file types found in /dev
cpanel Suspicious File Alert /dev/shm/set - webshell - /dev/shm and /tmp
cpanel Suspicious File Alert File: /dev/shm/set

disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen
Suspicious File Alert: Tracking where the file has come from


AlmaLinux user


file set dev/shm
! Action

user sudo root


1- csf


2- ImunifyAV
backdoor !
Cloudlinux Cage

3- allow_url_fopen MultiPHP INI Editor

The allow_url_fopen is a setting managed through the PHP Options which allows PHP file functions to retrieve data from remote locations over FTP or HTTP. This option is a significant security risk, thus, do not turn it on without necessity.

The Allow_url_fopen function can retrieve information from a remote server. This function will be in deactivation server-wide for all domains on the majority of shared servers. We have to disable this since it poses a severe security risk. For security reasons, in a shared hosting account allow_url_fopen is disabled by default. Note that in a shared account the allow_url_fopen is by default disabled. The allow_url_fopen PHP option specifies whether or not PHP is permitted to fetch URL objects such as files. This feature is frequently disabled for security reasons, although some scripts may require it to function properly. Users who attempt to enable or disable this via the MultiPHP INI Editor in cPanel may notice that their scripts or PHP information pages are not updated. Disable allow_url_fopen on a Linux/cPanel Server There is a high probability for a website to get weak for hackers if the allow_url_fopen is in the activation stage on the server. So most hosting companies opt to disable it to ensure security. The probability and the chances of website compromisation if this directive is active globally on the server.

4- /dev/shm /tmp writeable
block disable_functions php

disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open

Your basically disabling some stuff that makes it much easier to hack your server. Like anything if your not using it then no need to leave it for the world to take advantage of.

/dev/shm and /tmp are world writeable; any user can write files there. There is no 100% way to block these. ModSecurity and CXS can help. However the only way to not have your customers be infected with these is to make them keep their CMS software (joomla, wordpress, etc.) fully updated and with good strong administrative passwords. You can also set in /usr/local/lib/php.ini the disable_functions setting to disallow exec and other risky php functions. Mine is set something like: