Dodgy links in virtfs

uk01

Well-Known Member
Dec 31, 2009
220
29
78
Hi we are currently running a security scan and have seen some concerning links...

I’m running cpmalscan

In virtfs one of the accounts is showing as linking to files in multiple other accounts!

Eg /virtfs/accountname/dev/fd/4/anotheraccount/...
Linking to mail files, WordPress plugins etc.
Then says they contain malware.

Some of those accounts have wordfence etc installed so I’m sure they are ok, but why is an account showingvas linking to someone else’s?

Is this a dodgy mount?

I should add that I have “no shell” selected in whm so the virtfs folder must come from sftp even though users have no shell
 
Last edited by a moderator:

uk01

Well-Known Member
Dec 31, 2009
220
29
78
We've discovered something else even more concerning...

A plugin folder within a wordpress site called "1" and inside it is a file "Rintoar.txt" which looks like a folder - when clicking this file it seems to load the root server files. This appears to be a symlink? to the root access from a plugin!

We have the new symlink protection enabled, yet this file has a date of only 2 days ago.

Edit: From root ssh access the folder displays the root file list
From filemanager within the cpanel account, the folder only links to the account root
 
Last edited:

rpvw

Well-Known Member
Jul 18, 2013
1,101
466
113
UK
cPanel Access Level
Root Administrator

uk01

Well-Known Member
Dec 31, 2009
220
29
78
Thanks, my thoughts are the site containing the plugin and rintoar file has been hacked and the file added. I've advised the site owner.

However, at this stage I'm suspicious of some relation to the virtfs issue above, as the malware scan shows links also from the plugin to

.../wp-content/plugins/1/Rintoar.txt/dev/fd/4/virtfs/accountnamementionedabove/dev/fd/4/anotheraccount/

I reckon the account in virtfs is the underlying culprit.
 

sparek-3

Well-Known Member
Aug 10, 2002
2,059
236
368
cPanel Access Level
Root Administrator
I would really recommend ignoring anything in virtfs. If you start deleting things from in there, bad things are bound to happen.

If an account has malware, it will show up on the account and not in the virtfs directory.
 
  • Like
Reactions: Infopro

uk01

Well-Known Member
Dec 31, 2009
220
29
78
You're right, never delete anything in virtfs as it screws the server and deletes the files they link to.
Very valid and important point for anyone else reading this in the future!

I was just shocked to see a specific account in virtfs showing directory links to other peoples accounts in the cpmalscan.
Then it found a dodgy sym file in another account which also showed a link back.

I'm checking all accounts though! Appreciate your input
 

sparek-3

Well-Known Member
Aug 10, 2002
2,059
236
368
cPanel Access Level
Root Administrator
I would bottom line it as, /home/virtfs uses a bind mount to mount a chroot'd environment for every user (or at least the users using virtfs). Put another way virtfs is a cheap version of CageFS.

I just wouldn't mess with it. I'd tell whatever application you are using to scan for malware to just ignore /home/virtfs

If there's malware in a /home/virtfs/user/home/user directory... then it will exist in /home/user

Someone from cPanel might chime in and give more insight. But bottomline, I'd just ignore everything in /home/virtfs
 

uk01

Well-Known Member
Dec 31, 2009
220
29
78
thanks @sparek-3 - the support here is great, it really helps put these things in context and at least get some sleep tonight!

I've removed the sym file we know was a hack (Rintoar.txt) on one actual account as that seems to be the main one flagging up
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,236
463