SOLVED Folder extracted in account show in .virtfs accounts?

[acpro]

Hi.

Recently a user extracted a WP site in a account. In the next day i received LFD warnings "Suspicious File Alert" in /tmp/ folder, removed the folder in question from /tmp and the suspicious folder from the user account.

The user did not upload it anymore and did not extracted anything.

In the next day i received LFD warnings "Suspicious File alert" from the same folder /tmp folder. Deleted from /tmp.

Next day, the same thing, so i searched the folder name in /home and i got the folder in question in /home/.virtfs of multiple accounts (all accounts that show in .virtfs folder).

99.9% certain that those accounts dont use that folder (the folder in /tmp is owned by the account that originaly upload it).


1) Why that folder appeared in /home/.virtfs of different accounts?
2) Why does the folder keeps showing in /tmp (is LFD moving the folder)?
3) Can i delete the "suspicious" folder from /home/.virtfs accounts?


The folder in question doesnt look to have suspicious code, WP PHP code and some .git (?)..and its called "extracted_plugins", but still i wish to fix this.


Thanks

 

[cPanelMichael]

Hello,

Directly removing files from the /home/virtfs directory is not recommended and can lead to filesystem errors. Instead, you can use the instructions for unmounting the VirtFS BIND mount available at:

VirtFS - Jailed Shell - Documentation - cPanel Documentation

Let us know if that helps.

Thank you.

 

[acpro]

Thanks for the answer @cPanelMichael.

Following your instructions i successfully unmounted the accounts in question.. hopefully LFD warning wont show again.

 

[acpro]

Hi.

Unfortunately it did not resolved:
-Folder keeps showing in /tmp folder
-Folder keeps showing in virtfs folder even after unmounted virtfs accounts. So, even after i unmounted this virtfs folders, the next day virtfs are mounted and the extracted_plugins folder appears on it?

-Also removed folder from /var/tmp, but didint solve anything.

The below images are from search´s on some "suspicious file alerts" on the server.

 

[rpvw]

I might be so far down the wrong road that it's not funny, but this is where I would start !!

First determine why this wp plug-in keeps regenerating - I suspect it needs properly uninstalling from the wp admin rather than just deleting the unziped folder in the clients fileset.

It looks to me like it is might be making a connection to repair its damaged fileset (or update its fileset) from a git repo ?

Some wp 'fake cron' jobs trigger on number of times a page is hit, but check to see that it hasn't written a proper cron job anyway.

Why it should be writing into the ./home/virtfs/tmp folders for more than one user is way past my pay-grade - I defiantly recommend that you get cPanel support involved here and open a support ticket !

 

[acpro]

Thanks for the answer @rpvw .

Following your line of thought, i did look for the WP website better and found some .zip files containing related files, also in the same folder some PHP looks like to extract (?) those zip files to install/reinstall some WP plugins. Like you said, maybe these scripts is triggered when running a specific page or a Backoffice page?

Well, i removed everthing from /tmp, /var/tmp, unmounted (again) virtfs, removed those zip and PHP files.

Fingers crossed for no more warnings!

About virtfs, i still dont understand why those folders keeps mounting and why the folder appears on them..

 

[cPanelMichael]

About virtfs, i still dont understand why those folders keeps mounting and why the folder appears on them..

They are linked to the files/folders that exist under the account's home directory. Thus, if those folders/files were regenerated in the account's home directory, they will appear under the VirtFS directory again.

Thank you.