IFD Suspicious File Alert

Edrick Smith · Sep 13, 2021

I keep getting alerts from IFD on a specific site, I've already used Wordfence and actually purchased a License for cPanels premium Wordpress management solution that is suppose to help users secure sites better.

Neither is reporting any issues with the site, but I do believe the IFD alert to be accurate. The site its self doesn't show signs of being compromised on the front end. But naturally that doesn't mean much.

So how on earth would one recommend tracking this down as I get about 10 alerts a day

, it is only this specific site.

Time: Sun Sep 12 21:01:17 2021 -0700
File: /tmp/systemd-private-2f987fdd375f437992f1fe75de0dc7d6-ea-php73-php-fpm.service-MK8fRi/tmp/alfacgiapi/getheader.alfa
Reason: Script, starts with #!
Owner: SITEUSER:SITEUSER (1010:1011)
Action: No action taken

kodeslogic · Sep 13, 2021

You can remove the File: /tmp/systemd-private-2f987fdd375f437992f1fe75de0dc7d6-ea-php73-php-fpm.service-MK8fRi/tmp/alfacgiapi/getheader.alfa manually and observe thus it comes back again?

cPJustinD · Sep 13, 2021

Hello again. I think it would be best to open a support ticket so that our analysts can review the issue more thoroughly and determine what exactly is occurring. You can submit a support request using the "Submit a ticket" link in my signature below.

Please be sure to link this thread when opening the ticket and provide the ticket number here so that we can track the issue appropriately. If possible, please post the resolution on this thread as it may help other community members with similar issues.

Edrick Smith · Sep 13, 2021

kodeslogic said:
You can remove the File: /tmp/systemd-private-2f987fdd375f437992f1fe75de0dc7d6-ea-php73-php-fpm.service-MK8fRi/tmp/alfacgiapi/getheader.alfa manually and observe thus it comes back again?

You could be onto something, upon looking it does always seem to be referencing the same file. So perhaps thats just one infected file and once I remove it, it will go away. I will attempt that first

Edrick Smith · Sep 13, 2021

Just a quick question, would you say just remove that direct file path or should I remove the root above it? In short how far back up the directory structure would be worth deleting?

cPJustinD · Sep 13, 2021

Given his suggestion, I would suggest moving just that one file out of the way temporarily.

mv -vi /tmp/systemd-private-2f987fdd375f437992f1fe75de0dc7d6-ea-php73-php-fpm.service-MK8fRi/tmp/alfacgiapi/getheader.alfa /path/to/test-or-backup-folder/

Edrick Smith · Sep 13, 2021

cPJustinD said:
Given his suggestion, I would suggest moving just that one file out of the way temporarily.

mv -vi /tmp/systemd-private-2f987fdd375f437992f1fe75de0dc7d6-ea-php73-php-fpm.service-MK8fRi/tmp/alfacgiapi/getheader.alfa /path/to/test-or-backup-folder/

Thanks I've done so and will see if the problem persists

Search

Search

IFD Suspicious File Alert

Edrick Smith

Well-Known Member

kodeslogic

Well-Known Member

cPJustinD

Administrator

Edrick Smith

Well-Known Member

Edrick Smith

Well-Known Member

cPJustinD

Administrator

Edrick Smith

Well-Known Member