Dodgy links in virtfs

Hi we are currently running a security scan and have seen some concerning links...

I’m running cpmalscan

In virtfs one of the accounts is showing as linking to files in multiple other accounts!

Eg /virtfs/accountname/dev/fd/4/anotheraccount/...
Linking to mail files, WordPress plugins etc.
Then says they contain malware.

Some of those accounts have wordfence etc installed so I’m sure they are ok, but why is an account showingvas linking to someone else’s?

Is this a dodgy mount?

I should add that I have “no shell” selected in whm so the virtfs folder must come from sftp even though users have no shell

 

We've discovered something else even more concerning...

A plugin folder within a wordpress site called "1" and inside it is a file "Rintoar.txt" which looks like a folder - when clicking this file it seems to load the root server files. This appears to be a symlink? to the root access from a plugin!

We have the new symlink protection enabled, yet this file has a date of only 2 days ago.

Edit: From root ssh access the folder displays the root file list
From filemanager within the cpanel account, the folder only links to the account root

 

Thanks, my thoughts are the site containing the plugin and rintoar file has been hacked and the file added. I've advised the site owner.

However, at this stage I'm suspicious of some relation to the virtfs issue above, as the malware scan shows links also from the plugin to

.../wp-content/plugins/1/Rintoar.txt/dev/fd/4/virtfs/accountnamementionedabove/dev/fd/4/anotheraccount/

I reckon the account in virtfs is the underlying culprit.

 

You're right, never delete anything in virtfs as it screws the server and deletes the files they link to.
Very valid and important point for anyone else reading this in the future!

I was just shocked to see a specific account in virtfs showing directory links to other peoples accounts in the cpmalscan.
Then it found a dodgy sym file in another account which also showed a link back.

I'm checking all accounts though! Appreciate your input

 

thanks @sparek-3 - the support here is great, it really helps put these things in context and at least get some sleep tonight!

I've removed the sym file we know was a hack (Rintoar.txt) on one actual account as that seems to be the main one flagging up