Author Topic: Suspicious File Alert  (Read 1800 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Suspicious File Alert
« on: April 18, 2024, 03:32:40 PM »
I setup a new server last week and since I got the DNS to resolve correct (allowing it to send emails) I keep getting these 2 messages.

Note that I do not have this issue with my other install of CWP.

Time:   Thu Apr 18 08:05:23 2024 -0700
File:   /var/tmp/.root_0f8430_salt/pyall/certifi/core.py
Reason: Script, file extension
Owner:  root:root (0:0)
Action: No action taken

Time:   Thu Apr 18 08:05:23 2024 -0700
File:   /var/tmp/.root_0f8430_salt/pyall/salt/grains/core.py
Reason: Script, file extension
Owner:  root:root (0:0)
Action: No action taken

I scanned that directory with CalmAV and it found nothing.

Here is the file structure of the .root_0f8430_salt directory.

[root@ .root_0f8430_salt]# ls -l
total 52
-rw-r--r-- 1 root root   65 Apr  5 02:45 code-checksum
-rw-r--r-- 1 salt salt   40 Apr  1 20:23 ext_version
-rw-r--r-- 1 root root   13 Apr  5 02:45 grains
-rw-r--r-- 1 root root  158 Apr  5 02:45 minion
drwx------ 9 root root 4096 Apr  5 02:45 py3
drwx------ 6 root root 4096 Apr  5 02:45 pyall
drwx------ 3 root root 4096 Apr  5 02:45 running_data
-rw-r--r-- 1 root root  757 Apr  5 02:45 salt-call
-rw------- 1 root root 8629 Apr  5 02:45 salt_state.tgz
-rw-r--r-- 1 root root    8 Apr  5 02:45 supported-versions
-rw-r--r-- 1 root root    6 Apr  5 02:45 version
[root@ .root_0f8430_salt]#

Offline
*****
Re: Suspicious File Alert
« Reply #1 on: April 18, 2024, 05:54:00 PM »
Are you running Python 2.7 or 3.6 on that system? Do you actually make use of it for any web facing apps, or just PHP?

Offline
*
Re: Suspicious File Alert
« Reply #2 on: April 18, 2024, 06:51:30 PM »
Just PHP no pyton

Offline
*****
Re: Suspicious File Alert
« Reply #3 on: April 18, 2024, 10:47:05 PM »
My systems have "core.py" as included in both versions of python:
Code: [Select]
/usr/lib/python2.7/site-packages/di/core.py
/usr/lib/python2.7/site-packages/pyudev/core.py
/usr/lib/python3.6/site-packages/pip/_vendor/certifi/core.py
/usr/lib/python3.6/site-packages/pip/_vendor/idna/core.py
/usr/lib64/python2.7/distutils/core.py
/usr/lib64/python3.6/distutils/core.py
I don't have anything like your salt directory under /tmp. Do you see any processes running that create those tmp files?

Offline
*
Re: Suspicious File Alert
« Reply #4 on: April 19, 2024, 11:17:44 AM »
2 process that might have created the file. Both appear to be related to my host. I even opened a ticket with them to ask about this file alert and they said it was not theirs.

Code: [Select]
root        1357  0.0  0.0 346844 30000 ?        Ss   Apr10   0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-minion -c /opt/imh-salt/ --pid-file=/var/run/inmotion-minion.pid
root        1826  0.0  0.0 969960 71564 ?        Sl   Apr10   6:50 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-minion -c /opt/imh-salt/ --pid-file=/var/run/inmotion-minion.pid MultiMinionProcessMa

Offline
*
Re: Suspicious File Alert
« Reply #5 on: April 19, 2024, 11:39:26 AM »
Looks like everything related to these tmp files was written on April 5th. 4 days before I got the server.

This is the logs

Code: [Select]
2024-04-05 02:45:24,425 [salt.loaded.int.module.pkg_resource:133 ][WARNING ][2158] 'version' argument will be ignored for multipl$
2024-04-05 02:45:27,521 [salt.loaded.int.module.pkg_resource:133 ][WARNING ][2158] 'version' argument will be ignored for multipl$


Code: [Select]
root         133  0.0  0.0      0     0 ?        I<   Apr10   0:00 [crypto]

Offline
*
Re: Suspicious File Alert
« Reply #6 on: April 23, 2024, 06:28:10 PM »
In the end I just backed up the contents of the .root_0f8430_salt folder and then deleted it off the server.

I have yet to have anything complain about that action.