Edrick Smith

Well-Known Member
Oct 9, 2017
45
6
8
Boston, MA
cPanel Access Level
DataCenter Provider
I keep getting alerts from IFD on a specific site, I've already used Wordfence and actually purchased a License for cPanels premium Wordpress management solution that is suppose to help users secure sites better.

Neither is reporting any issues with the site, but I do believe the IFD alert to be accurate. The site its self doesn't show signs of being compromised on the front end. But naturally that doesn't mean much.

So how on earth would one recommend tracking this down as I get about 10 alerts a day :), it is only this specific site.

Time: Sun Sep 12 21:01:17 2021 -0700
File: /tmp/systemd-private-2f987fdd375f437992f1fe75de0dc7d6-ea-php73-php-fpm.service-MK8fRi/tmp/alfacgiapi/getheader.alfa
Reason: Script, starts with #!
Owner: SITEUSER:SITEUSER (1010:1011)
Action: No action taken
 

kodeslogic

Well-Known Member
Apr 26, 2020
327
126
118
IN
cPanel Access Level
Root Administrator
You can remove the File: /tmp/systemd-private-2f987fdd375f437992f1fe75de0dc7d6-ea-php73-php-fpm.service-MK8fRi/tmp/alfacgiapi/getheader.alfa manually and observe thus it comes back again?
 
  • Like
Reactions: cPJustinD

cPJustinD

Administrator
Staff member
Jan 12, 2021
286
51
103
Houston
cPanel Access Level
Root Administrator
Hello again. I think it would be best to open a support ticket so that our analysts can review the issue more thoroughly and determine what exactly is occurring. You can submit a support request using the "Submit a ticket" link in my signature below.

Please be sure to link this thread when opening the ticket and provide the ticket number here so that we can track the issue appropriately. If possible, please post the resolution on this thread as it may help other community members with similar issues.
 

Edrick Smith

Well-Known Member
Oct 9, 2017
45
6
8
Boston, MA
cPanel Access Level
DataCenter Provider
You can remove the File: /tmp/systemd-private-2f987fdd375f437992f1fe75de0dc7d6-ea-php73-php-fpm.service-MK8fRi/tmp/alfacgiapi/getheader.alfa manually and observe thus it comes back again?
You could be onto something, upon looking it does always seem to be referencing the same file. So perhaps thats just one infected file and once I remove it, it will go away. I will attempt that first
 
  • Like
Reactions: cPJustinD
Thread starter Similar threads Forum Replies Date
A Server Management 4