The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED Folder extracted in account show in .virtfs accounts?

Discussion in 'General Discussion' started by acpro, Aug 1, 2017.

Tags:
  1. acpro

    acpro Member

    Joined:
    Mar 7, 2017
    Messages:
    10
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Portugal
    cPanel Access Level:
    Root Administrator
    Hi.

    Recently a user extracted a WP site in a account. In the next day i received LFD warnings "Suspicious File Alert" in /tmp/ folder, removed the folder in question from /tmp and the suspicious folder from the user account.

    The user did not upload it anymore and did not extracted anything.

    In the next day i received LFD warnings "Suspicious File alert" from the same folder /tmp folder. Deleted from /tmp.

    Next day, the same thing, so i searched the folder name in /home and i got the folder in question in /home/.virtfs of multiple accounts (all accounts that show in .virtfs folder).

    99.9% certain that those accounts dont use that folder (the folder in /tmp is owned by the account that originaly upload it).


    1) Why that folder appeared in /home/.virtfs of different accounts?
    2) Why does the folder keeps showing in /tmp (is LFD moving the folder)?
    3) Can i delete the "suspicious" folder from /home/.virtfs accounts?


    The folder in question doesnt look to have suspicious code, WP PHP code and some .git (?)..and its called "extracted_plugins", but still i wish to fix this.


    Thanks
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Directly removing files from the /home/virtfs directory is not recommended and can lead to filesystem errors. Instead, you can use the instructions for unmounting the VirtFS BIND mount available at:

    VirtFS - Jailed Shell - Documentation - cPanel Documentation

    Let us know if that helps.

    Thank you.
     
    acpro likes this.
  3. acpro

    acpro Member

    Joined:
    Mar 7, 2017
    Messages:
    10
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Portugal
    cPanel Access Level:
    Root Administrator
    Thanks for the answer @cPanelMichael.

    Following your instructions i successfully unmounted the accounts in question.. hopefully LFD warning wont show again.
     
    cPanelMichael likes this.
  4. acpro

    acpro Member

    Joined:
    Mar 7, 2017
    Messages:
    10
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Portugal
    cPanel Access Level:
    Root Administrator
    Hi.

    Unfortunately it did not resolved:
    -Folder keeps showing in /tmp folder
    -Folder keeps showing in virtfs folder even after unmounted virtfs accounts. So, even after i unmounted this virtfs folders, the next day virtfs are mounted and the extracted_plugins folder appears on it?

    -Also removed folder from /var/tmp, but didint solve anything.

    The below images are from search´s on some "suspicious file alerts" on the server.


    extracted_plugins.png
    prepare-commit-msg-sample.png
    post-type-static-block.png
    suspicious-file-alert.png
     
  5. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    260
    Likes Received:
    76
    Trophy Points:
    28
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    I might be so far down the wrong road that it's not funny, but this is where I would start !!

    First determine why this wp plug-in keeps regenerating - I suspect it needs properly uninstalling from the wp admin rather than just deleting the unziped folder in the clients fileset.

    It looks to me like it is might be making a connection to repair its damaged fileset (or update its fileset) from a git repo ?

    Some wp 'fake cron' jobs trigger on number of times a page is hit, but check to see that it hasn't written a proper cron job anyway.

    Why it should be writing into the ./home/virtfs/tmp folders for more than one user is way past my pay-grade - I defiantly recommend that you get cPanel support involved here and open a support ticket !
     
    cPanelMichael and acpro like this.
  6. acpro

    acpro Member

    Joined:
    Mar 7, 2017
    Messages:
    10
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Portugal
    cPanel Access Level:
    Root Administrator
    Thanks for the answer @rpvw .

    Following your line of thought, i did look for the WP website better and found some .zip files containing related files, also in the same folder some PHP looks like to extract (?) those zip files to install/reinstall some WP plugins. Like you said, maybe these scripts is triggered when running a specific page or a Backoffice page?

    Well, i removed everthing from /tmp, /var/tmp, unmounted (again) virtfs, removed those zip and PHP files.

    Fingers crossed for no more warnings!

    About virtfs, i still dont understand why those folders keeps mounting and why the folder appears on them..
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    They are linked to the files/folders that exist under the account's home directory. Thus, if those folders/files were regenerated in the account's home directory, they will appear under the VirtFS directory again.

    Thank you.
     
Loading...

Share This Page