Getting a [!!! CRITICAL ALERT !!!] Ghost files (deleted but running) found

Anyone getting this security error?
Seems serious, BUT I just setup a new server, still sitting on a private IP and got it so now I'm not sure.

sh /scripts/cwp_security_audit
------------------------------------------------------
[INFO] Auditing cwpsrv (PID: 156548)
[OK] cwpsrv looks clean.
------------------------------------------------------
[INFO] Auditing php-fpm-cwp (PID: 1086)
[!!! CRITICAL ALERT !!!] Ghost files (deleted but running) found:
php-fpm 1086 root  DEL       REG              253,0             1837740 /usr/local/ioncube/ioncube_loader_lin_7.2.so
Error:Can't add notification!------------------------------------------------------
[INFO] Auditing apache (PID: 157091)
[OK] apache looks clean.
------------------------------------------------------

What operating system? I have that file (1.4M in size) on my AlmaLinux 8 servers. I assume it's necessary to decrypt & load the CWP core, which is still running on the hobbling old PHP 7.2 (even though the files are labeled PHP 7.1, it is really 7.2).

Looks like the recent update added the security audit and automatically enrolled servers to run it. Look at the new cron job that runs cwp_security_audit:

Code: [Select]

[root@srv1]# ls -al /etc/cron.daily/cwp_security_audit.sh
-rwxr-xr-x 1 root root 31 Feb 17 18:40 /etc/cron.daily/cwp_security_audit.sh

@overseer
Yes Alma 8
File is showing as 1.34MB in the gui file explorer. All the dates are the same so I would think it's legit.
But the warning is kind of worrying coming out of nowhere on a new build.

Code: [Select]

[root@localhost ~]# ls -l /usr/local/ioncube/ioncube_loader_lin_7.2.so
-rw-rw-r-- 1 507 507 1407568 Sep  9  2023 /usr/local/ioncube/ioncube_loader_lin_7.2.so


Is your server flagging it?

Thanks,
Dave

Yes, that script gives the same worrying message on my servers. But it looks to be all-scare, not a legitimate security issue. Most odd thing is the 507 user:group ownership -- no longer valid, so probably more cleanup CWP needs to do.

Yes, that script gives the same worrying message on my servers. But it looks to be all-scare, not a legitimate security issue. Most odd thing is the 507 user:group ownership -- no longer valid, so probably more cleanup CWP needs to do.

OK, I'll stop having a panic attack now :-)
That or we are both screwed.....

-Dave

Save the panic attacks by silencing notifications! Create /etc/cron.daily/notifications_zero and it will run after the daily CWP scripts and empty out your notifications.

Code: [Select]

#!/bin/sh
echo '[]' > /usr/local/cwpsrv/htdocs/resources/admin/include/libs/notifications/notifications.json

I received the exact same alert; it seems to be a false positive according to CWP support. There's nothing to worry about; they'll release an update to correct this notification, they told me.