Find a script which writes in /var/tmp

Question

I discover that one of my partition was full.

rootfs                 20G  1,8G   17G  10% /
/dev/root              20G  1,8G   17G  10% /
devtmpfs              7,8G  184K  7,8G   1% /dev
none                  7,8G     0  7,8G   0% /dev/shm
none                  7,8G  600K  7,8G   1% /var/run
none                  7,8G     0  7,8G   0% /var/lock
none                  7,8G     0  7,8G   0% /lib/init/rw
/dev/md3              1,8T  1,6T  177G  90% /var
none                  7,8G  600K  7,8G   1% /var/run
none                  7,8G     0  7,8G   0% /var/lock

With some recursive du -sh * | sort -n , I discover that my /var/tmp has 2 folders belong to www-data

root@ns384990:/var/tmp# ls -la
total 76
drwxr-xr-x  2 www-data www-data 36864 2014-10-27 00:11  .. 
drwxrwxrwt  4 root     root      4096 2014-10-29 06:30 .
drwxr-xr-x  2 www-data www-data 32768 2014-10-01 18:40 . .. 
drwxr-xr-x 21 root     root      4096 2013-07-23 11:49 ..

I go to the .. folder cd ' .. ' (yeah, 2 fcking escape ... I was mad 'cause I don't see the 2nd escape and it takes me hours to find it)

And here what I get inside... Severals films and series

root@ns384990:/var/tmp/ .. # ls -la
total 1580112096
drwxr-xr-x 2 www-data www-data       36864 2014-10-27 00:11 .
drwxrwxrwt 4 root     root            4096 2014-10-29 06:30 ..
-rw-r--r-- 1 www-data www-data   644663385 2014-10-18 18:05 10.Things.You.Dont.Know.About.S01E02.Abraham.Lincoln.720p.HDTV.x264-DHD.mkv
-rw-r--r-- 1 www-data www-data   634213806 2014-10-24 09:44 10.Things.You.Dont.Know.About.S01E05.The.OK.Corral.720p.HDTV.x264-DHD.mkv
-rw-r--r-- 1 www-data www-data  4743372800 2014-09-19 01:41 21.2008.BluRay.720p.x264-WiKi.tar

... 1,5 To of films and series sent "I don't know how" and stocked in my /var/tmp

How can I find the script allows to write this ? What are the logs files or commands I can use for tracking what happened ?

here is my OS information :

Linux ns384990.ovh.net 3.8.13-xxxx-std-ipv6-64 #3 SMP Fri May 31 13:14:59 CEST 2013 x86_64 GNU/Linux Ubuntu 10.04.2 LTS

Welcome to Ubuntu! * Documentation: https://help.ubuntu.com/ Ubuntu 10.04.2 LTS

** EDIT 1 : Just found the script : **

** link removed as it contains malware** (too long for putting it here)

Answer 1

It's not question which script was used to make these uploads; question is what vulnerability was used to create script which was used to make these uploads.

You could go through apache access logs and try co-relate creation time stamps of those files with http requests made.

Additionally I would recommend to look into hardening your open_basedir option. What types of sites do you run? Try searching for strange php files owned by www-data user like

find / -type f -iname '*.php*' -user www-data

Another trick frequently used is defining AddHandler or AddType in .htaccess to parse non php extensions as php code. So you may want to review all .htaccess files on your system for those matches and if there are any weird extensions mapped to run as php code examine files with such extensions as well.