× Presentation and instructions about security tools used to prevent server hacking. Feel free to use them or ask us to protect your site hosting it to a safe, daily monitored vps senter. Freespirits will ensure great quality of services.

CWP Security Audit Critical Alert: Ghost Files Deleted But Running — Fixed

Περισσότερα
2 Εβδομάδες 4 Ημέρες πριν #339 από infogate
I recently received a CWP Security Audit warning like this:
danger - Level of notification: Danger
CWP Security Audit - Ghost files (deleted but running)
[!!! CRITICAL ALERT !!!] Ghost files (deleted but running) found
For more info run:
sh /scripts/cwp_security_audit
After running the audit manually:
sh /scripts/cwp_security_audit
CWP reported this:
[INFO] Auditing php-fpm-cwp
[!!! CRITICAL ALERT !!!] Ghost files (deleted but running) found:
php-fpm ... DEL /usr/lib64/libcrypto.so...
php-fpm ... DEL /usr/lib64/libssl.so...
php-fpm ... DEL /usr/lib64/libxml2.so...
php-fpm ... DEL /usr/lib64/libpng15.so...
At first this looked like a serious malware warning, but in this case it was not a hacked file or malware running from
/tmp
,
/dev/shm
, or a website folder.The deleted files were old system libraries still loaded by the CWP PHP-FPM process. This can happen after system updates when services keep using old library files in memory until they are restarted.To verify the affected process, I checked the PID:
ps -p 855 -o pid,ppid,user,etime,cmd
readlink -f /proc/855/exe
tr '\0' ' ' < /proc/855/cmdline; echo
cat /proc/855/cgroup
The process was:
php-fpm: master process (/usr/local/cwp/php71/etc/cwpsrv.conf)
And the real service was:
cwpsrv-phpfpm.service
The fix was to restart the CWP panel services:
sh /scripts/restart_cwpsrv
Then I ran the audit again:
sh /scripts/cwp_security_audit
The result was clean:
[OK] cwpsrv looks clean.
[OK] php-fpm-cwp looks clean.
[OK] apache looks clean.
[DONE] Security audit finished.
So the final fix was:
sh /scripts/restart_cwpsrv
sh /scripts/cwp_security_audit
Optional extra check:
lsof +L1 | egrep -i "php-fpm|libcrypto|libssl|libxml2|libpng" || echo "No stale deleted libraries found"
In this case, the alert was caused by stale deleted libraries still loaded in memory by CWP PHP-FPM, not by active malware.If the deleted running file appears under paths like
/tmp
,
/var/tmp
,
/dev/shm
,
/home/user/tmp
, or a public website folder, then it should be treated as suspicious. But when the alert points only to deleted system libraries used by CWP PHP-FPM, restarting CWP services usually clears it.


The best possible way to start your online marketing : fspirits.com/go/leadsleap-home
Explode Your Web Site Traffice: fspirits.com/go/sparktraffic
Start your affiliate journey here: fspirits.com/go/olsp-academy
Best Solution To Create Videos: fspirits.com/go/create-studio-pro
Best Solution To Create Graphics: fspirits.com/go/clickdesigns
Smart Chat Automation: fspirits.com/go/chatterpal
Multi-Purpose Video Maker: fspirits.com/go/avatar-builder
Multi-Purpose Video Creator: fspirits.com/go/video-creator
AI Human Spokesperson Videos: fspirits.com/go/humanpal

Παρακαλούμε Σύνδεση ή Δημιουργία λογαριασμού για να συμμετάσχετε στη συζήτηση.

Χρόνος δημιουργίας σελίδας: 0.061 δευτερόλεπτα
Powered by Kunena Φόρουμ