IFD Suspicious File Alert

Edrick Smith

• September 13, 2021 00:51

I keep getting alerts from IFD on a specific site, I've already used Wordfence and actually purchased a License for cPanels premium Wordpress management solution that is suppose to help users secure sites better. Neither is reporting any issues with the site, but I do believe the IFD alert to be accurate. The site its self doesn't show signs of being compromised on the front end. But naturally that doesn't mean much. So how on earth would one recommend tracking this down as I get about 10 alerts a day :), it is only this specific site. Time: Sun Sep 12 21:01:17 2021 -0700 File: /tmp/systemd-private-2f987fdd375f437992f1fe75de0dc7d6-ea-php73-php-fpm.service-MK8fRi/tmp/alfacgiapi/getheader.alfa Reason: Script, starts with #! Owner: SITEUSER:SITEUSER (1010:1011) Action: No action taken

• 

  kodeslogic

  • September 13, 2021 07:24

  You can remove the File: /tmp/systemd-private-2f987fdd375f437992f1fe75de0dc7d6-ea-php73-php-fpm.service-MK8fRi/tmp/alfacgiapi/getheader.alfa manually and observe thus it comes back again?

  0
• 

  cPJustinD

  • September 13, 2021 15:11

  Hello again. I think it would be best to open a support ticket so that our analysts can review the issue more thoroughly and determine what exactly is occurring. You can submit a support request using the "Submit a ticket" link in my signature below. Please be sure to link this thread when opening the ticket and provide the ticket number here so that we can track the issue appropriately. If possible, please post the resolution on this thread as it may help other community members with similar issues.

  0
• 

  Edrick Smith

  • September 13, 2021 19:08

  You can remove the File: /tmp/systemd-private-2f987fdd375f437992f1fe75de0dc7d6-ea-php73-php-fpm.service-MK8fRi/tmp/alfacgiapi/getheader.alfa manually and observe thus it comes back again?

  
  You could be onto something, upon looking it does always seem to be referencing the same file. So perhaps thats just one infected file and once I remove it, it will go away. I will attempt that first

  0
• 

  Edrick Smith

  • September 13, 2021 19:49

  Just a quick question, would you say just remove that direct file path or should I remove the root above it? In short how far back up the directory structure would be worth deleting?

  0
• 

  cPJustinD

  • September 13, 2021 19:52

  Given his suggestion, I would suggest moving just that one file out of the way temporarily. mv -vi /tmp/systemd-private-2f987fdd375f437992f1fe75de0dc7d6-ea-php73-php-fpm.service-MK8fRi/tmp/alfacgiapi/getheader.alfa /path/to/test-or-backup-folder/
  

  0
• 

  Edrick Smith

  • September 13, 2021 20:28

  Given his suggestion, I would suggest moving just that one file out of the way temporarily. mv -vi /tmp/systemd-private-2f987fdd375f437992f1fe75de0dc7d6-ea-php73-php-fpm.service-MK8fRi/tmp/alfacgiapi/getheader.alfa /path/to/test-or-backup-folder/
  

  
  Thanks I've done so and will see if the problem persists :)

  0

Please sign in to leave a comment.