Dodgy links in virtfs

[uk01]

Hi we are currently running a security scan and have seen some concerning links...

I’m running cpmalscan

In virtfs one of the accounts is showing as linking to files in multiple other accounts!

Eg /virtfs/accountname/dev/fd/4/anotheraccount/...
Linking to mail files, WordPress plugins etc.
Then says they contain malware.

Some of those accounts have wordfence etc installed so I’m sure they are ok, but why is an account showingvas linking to someone else’s?

Is this a dodgy mount?

I should add that I have “no shell” selected in whm so the virtfs folder must come from sftp even though users have no shell

 

[uk01]

We've discovered something else even more concerning...

A plugin folder within a wordpress site called "1" and inside it is a file "Rintoar.txt" which looks like a folder - when clicking this file it seems to load the root server files. This appears to be a symlink? to the root access from a plugin!

We have the new symlink protection enabled, yet this file has a date of only 2 days ago.

Edit: From root ssh access the folder displays the root file list
From filemanager within the cpanel account, the folder only links to the account root

 

[rpvw]

Rintoar.txt is often associated with a remote access or web-shell exploit.

I would suggest you take all necessary measures to ensure your server is not infected or exploited in any way.

The following links may prove useful:

Security and Virus Scans in WHM - cPanel Knowledge Base - cPanel Documentation
Why can't I clean a hacked machine - cPanel Knowledge Base - cPanel Documentation

 

[uk01]

Thanks, my thoughts are the site containing the plugin and rintoar file has been hacked and the file added. I've advised the site owner.

However, at this stage I'm suspicious of some relation to the virtfs issue above, as the malware scan shows links also from the plugin to

.../wp-content/plugins/1/Rintoar.txt/dev/fd/4/virtfs/accountnamementionedabove/dev/fd/4/anotheraccount/

I reckon the account in virtfs is the underlying culprit.

 

[Infopro]

I reckon the account in virtfs is the underlying culprit.

The account there is the account.

 

[sparek-3]

I would really recommend ignoring anything in virtfs. If you start deleting things from in there, bad things are bound to happen.

If an account has malware, it will show up on the account and not in the virtfs directory.

 

[uk01]

You're right, never delete anything in virtfs as it screws the server and deletes the files they link to.
Very valid and important point for anyone else reading this in the future!

I was just shocked to see a specific account in virtfs showing directory links to other peoples accounts in the cpmalscan.
Then it found a dodgy sym file in another account which also showed a link back.

I'm checking all accounts though! Appreciate your input

 

[sparek-3]

I would bottom line it as, /home/virtfs uses a bind mount to mount a chroot'd environment for every user (or at least the users using virtfs). Put another way virtfs is a cheap version of CageFS.

I just wouldn't mess with it. I'd tell whatever application you are using to scan for malware to just ignore /home/virtfs

If there's malware in a /home/virtfs/user/home/user directory... then it will exist in /home/user

Someone from cPanel might chime in and give more insight. But bottomline, I'd just ignore everything in /home/virtfs

 

[uk01]

thanks @sparek-3 - the support here is great, it really helps put these things in context and at least get some sleep tonight!

I've removed the sym file we know was a hack (Rintoar.txt) on one actual account as that seems to be the main one flagging up

 

[cPanelMichael]

Hello @uk01,

We also provide the following document to explain in more detail how the VirtFS directories work:

VirtFS - Jailed Shell - Version 74 Documentation - cPanel Documentation

Included in this document are steps to remove a VirtFS mount, as manually removing that data can lead to a nonfunctional server.

Thank you.