Suspicious File Alert

I setup a new server last week and since I got the DNS to resolve correct (allowing it to send emails) I keep getting these 2 messages.

Note that I do not have this issue with my other install of CWP.

Time:   Thu Apr 18 08:05:23 2024 -0700
File:   /var/tmp/.root_0f8430_salt/pyall/certifi/core.py
Reason: Script, file extension
Owner:  root:root (0:0)
Action: No action taken

Time:   Thu Apr 18 08:05:23 2024 -0700
File:   /var/tmp/.root_0f8430_salt/pyall/salt/grains/core.py
Reason: Script, file extension
Owner:  root:root (0:0)
Action: No action taken

I scanned that directory with CalmAV and it found nothing.

Here is the file structure of the .root_0f8430_salt directory.

[root@ .root_0f8430_salt]# ls -l
total 52
-rw-r--r-- 1 root root   65 Apr  5 02:45 code-checksum
-rw-r--r-- 1 salt salt   40 Apr  1 20:23 ext_version
-rw-r--r-- 1 root root   13 Apr  5 02:45 grains
-rw-r--r-- 1 root root  158 Apr  5 02:45 minion
drwx------ 9 root root 4096 Apr  5 02:45 py3
drwx------ 6 root root 4096 Apr  5 02:45 pyall
drwx------ 3 root root 4096 Apr  5 02:45 running_data
-rw-r--r-- 1 root root  757 Apr  5 02:45 salt-call
-rw------- 1 root root 8629 Apr  5 02:45 salt_state.tgz
-rw-r--r-- 1 root root    8 Apr  5 02:45 supported-versions
-rw-r--r-- 1 root root    6 Apr  5 02:45 version
[root@ .root_0f8430_salt]#

Are you running Python 2.7 or 3.6 on that system? Do you actually make use of it for any web facing apps, or just PHP?

Just PHP no pyton

My systems have "core.py" as included in both versions of python:

Code: [Select]

/usr/lib/python2.7/site-packages/di/core.py
/usr/lib/python2.7/site-packages/pyudev/core.py
/usr/lib/python3.6/site-packages/pip/_vendor/certifi/core.py
/usr/lib/python3.6/site-packages/pip/_vendor/idna/core.py
/usr/lib64/python2.7/distutils/core.py
/usr/lib64/python3.6/distutils/core.pyI don't have anything like your salt directory under /tmp. Do you see any processes running that create those tmp files?

2 process that might have created the file. Both appear to be related to my host. I even opened a ticket with them to ask about this file alert and they said it was not theirs.

Code: [Select]

root        1357  0.0  0.0 346844 30000 ?        Ss   Apr10   0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-minion -c /opt/imh-salt/ --pid-file=/var/run/inmotion-minion.pid
root        1826  0.0  0.0 969960 71564 ?        Sl   Apr10   6:50 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-minion -c /opt/imh-salt/ --pid-file=/var/run/inmotion-minion.pid MultiMinionProcessMa


Looks like everything related to these tmp files was written on April 5th. 4 days before I got the server.

This is the logs

Code: [Select]

2024-04-05 02:45:24,425 [salt.loaded.int.module.pkg_resource:133 ][WARNING ][2158] 'version' argument will be ignored for multipl$
2024-04-05 02:45:27,521 [salt.loaded.int.module.pkg_resource:133 ][WARNING ][2158] 'version' argument will be ignored for multipl$



Code: [Select]

root         133  0.0  0.0      0     0 ?        I<   Apr10   0:00 [crypto]

In the end I just backed up the contents of the .root_0f8430_salt folder and then deleted it off the server.

I have yet to have anything complain about that action.