Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Dodgy links in virtfs

Discussion in 'Security' started by uk01, Aug 27, 2018.

Tags:
  1. uk01

    uk01 Well-Known Member

    Joined:
    Dec 31, 2009
    Messages:
    174
    Likes Received:
    18
    Trophy Points:
    68
    Hi we are currently running a security scan and have seen some concerning links...

    I’m running cpmalscan

    In virtfs one of the accounts is showing as linking to files in multiple other accounts!

    Eg /virtfs/accountname/dev/fd/4/anotheraccount/...
    Linking to mail files, WordPress plugins etc.
    Then says they contain malware.

    Some of those accounts have wordfence etc installed so I’m sure they are ok, but why is an account showingvas linking to someone else’s?

    Is this a dodgy mount?

    I should add that I have “no shell” selected in whm so the virtfs folder must come from sftp even though users have no shell
     
    #1 uk01, Aug 27, 2018
    Last edited by a moderator: Aug 27, 2018
  2. uk01

    uk01 Well-Known Member

    Joined:
    Dec 31, 2009
    Messages:
    174
    Likes Received:
    18
    Trophy Points:
    68
    We've discovered something else even more concerning...

    A plugin folder within a wordpress site called "1" and inside it is a file "Rintoar.txt" which looks like a folder - when clicking this file it seems to load the root server files. This appears to be a symlink? to the root access from a plugin!

    We have the new symlink protection enabled, yet this file has a date of only 2 days ago.

    Edit: From root ssh access the folder displays the root file list
    From filemanager within the cpanel account, the folder only links to the account root
     
    #2 uk01, Aug 27, 2018
    Last edited: Aug 27, 2018
  3. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    1,088
    Likes Received:
    442
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. uk01

    uk01 Well-Known Member

    Joined:
    Dec 31, 2009
    Messages:
    174
    Likes Received:
    18
    Trophy Points:
    68
    Thanks, my thoughts are the site containing the plugin and rintoar file has been hacked and the file added. I've advised the site owner.

    However, at this stage I'm suspicious of some relation to the virtfs issue above, as the malware scan shows links also from the plugin to

    .../wp-content/plugins/1/Rintoar.txt/dev/fd/4/virtfs/accountnamementionedabove/dev/fd/4/anotheraccount/

    I reckon the account in virtfs is the underlying culprit.
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,937
    Likes Received:
    485
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    The account there is the account.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,923
    Likes Received:
    177
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    I would really recommend ignoring anything in virtfs. If you start deleting things from in there, bad things are bound to happen.

    If an account has malware, it will show up on the account and not in the virtfs directory.
     
    Infopro likes this.
  7. uk01

    uk01 Well-Known Member

    Joined:
    Dec 31, 2009
    Messages:
    174
    Likes Received:
    18
    Trophy Points:
    68
    You're right, never delete anything in virtfs as it screws the server and deletes the files they link to.
    Very valid and important point for anyone else reading this in the future!

    I was just shocked to see a specific account in virtfs showing directory links to other peoples accounts in the cpmalscan.
    Then it found a dodgy sym file in another account which also showed a link back.

    I'm checking all accounts though! Appreciate your input
     
  8. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,923
    Likes Received:
    177
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    I would bottom line it as, /home/virtfs uses a bind mount to mount a chroot'd environment for every user (or at least the users using virtfs). Put another way virtfs is a cheap version of CageFS.

    I just wouldn't mess with it. I'd tell whatever application you are using to scan for malware to just ignore /home/virtfs

    If there's malware in a /home/virtfs/user/home/user directory... then it will exist in /home/user

    Someone from cPanel might chime in and give more insight. But bottomline, I'd just ignore everything in /home/virtfs
     
  9. uk01

    uk01 Well-Known Member

    Joined:
    Dec 31, 2009
    Messages:
    174
    Likes Received:
    18
    Trophy Points:
    68
    thanks @sparek-3 - the support here is great, it really helps put these things in context and at least get some sleep tonight!

    I've removed the sym file we know was a hack (Rintoar.txt) on one actual account as that seems to be the main one flagging up
     
  10. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,529
    Likes Received:
    2,180
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice