Any ideas on why apache (httpd) creates these files in /tmp? I'm on Redhat 5.5 and Apache 2.2, mpm-prefork.
-rw-------. 1 apache apache 0 Aug 14 12:46 filec1puD5
-rw-------. 1 apache apache 0 Aug 14 12:46 fileKJqaih
-rw-------. 1 apache apache 0 Aug 14 12:46 fileB7j9Ws
-rw-------. 1 apache apache 0 Aug 14 12:46 file1o7MCE
-rw-------. 1 apache apache 0 Aug 14 12:46 filefqAvjQ
-rw-------. 1 apache apache 0 Aug 14 12:46 filexjpv01
Sometimes, I see dozens of these, and I always delete them, but haven't found anything on why or how these files are generated in the first place. Error logs look clean, albeit, they're set to Error.
Update: Application is Drupal 7, running on PHP 5.3.2.
/tmp is PHP's default folder for session data. You can change this by editing the "session_save_path" in your php.ini file. The being said, various scripts could write various session data here.
There are cases where lax permissions in this folder have led to vulnerabilities (UID/Symlink attacks), so if you suspect these files don't line up with what your PHP application is expected to be doing, I might recommend redirecting your PHP sesion files and watching this area closely.
Typically session files are written as sess_xxx. These files may be temporary remnants of file uploads. When a enduser uploads a file, these files are written to /tmp and once completely uploaded, they are moved off to their actual destination.
Can you try doing a less on these files? I'm not sure if these files are binary. Also run file command on any of these files.