Security issue? - testfile.txt inserted in all vsites/accounts

[jols]

Since we first started leasing cPanel servers, nearly every account is accessed as soon as we install it (or very nearly thereafter). Someone using IP 216.55.147.130 installs a file in the sub-web area named testfile.txt then soon afterward, deletes it. Sometimes not. All the files that we were able to find contains a single word "cygnus".

By the way, all testfile.txt files are owned by the user ID of that account (in which the file was inserted), and FTP access is made using the new account user's ID and password.


My first guess is that this is part of the cPanel licensing system. My second guess is much worse. Just want to make sure.

Can anyone please shed any light.

Thanks.
jols


UPDATE: We're not sure but we now believe that at least there is a possibility that this may relate to a Windows virus that many of our hosted members may have on their systems, of which our cPanel / Linux server would be ammune - http://vil.nai.com/vil/content/v_98824.htm

[damainman]

Keep us updated on this.

[jols]

Thanks, I will.

We are getting closer to an explanation which is completely mundane, having to do with an external (Trellix based) authoring system that many of our accounts are using. We are at least 80% sure at this point that this is what it is.

--jols.