Help with Suspicious File Alert

[Daniel_Dog]

Hello everyone,

I recieved a Suspicious File Alert and I am currently looking into the matter.

Message:

Time: Tue Dec 17 04:00:23 2024 +0100
File: /tmp/apt-key-gpghome.EKAn6u8wY7/gpg.1.sh
Reason: Script, file extension
Owner: _apt:nogroup (42:65534)
Action: No action taken

So far as I can see, the mentioned file does not exists anymore. (Even the folder where it should be located in the /tmp directory is gone.)

And for as far as I can see it seems like a false positive, I have however never seen this message before, even though I run DirectAdmin for years now, so I am kinda reluctant to call it a false positive just to be on the safe side.

I also did not get any follow up warnings, like a system file failed MD5 sum, or something like it.

So I would love to know if anyone has recieved this warning as well and if so how to proceed on making sure it is just a false positive.

 

[exlhost]

Try this command on the root shell and execute rewrite config.

rm -rf /tmp/apt-key-gpghome.EKAn6u8wY7/gpg.1.sh
da build rewrite_confs

 

[Daniel_Dog]

Oke, I have run the commands and have not yet recieved the warning again.

After running the directadmin command the following files and folders are in the /tmp directory.

root@da-de:/tmp# ls
mysqlx.sock
mysqlx.sock.lock
pear
ssh-XXXX6u2cgF
systemd-private-986a2b7b722a44609484cca902ae82d8-exim.service-0pjKtv
systemd-private-986a2b7b722a44609484cca902ae82d8-httpd.service-mgWjGb
systemd-private-986a2b7b722a44609484cca902ae82d8-php-fpm83.service-GwR7ZZ
systemd-private-986a2b7b722a44609484cca902ae82d8-php-fpm84.service-l5Z35y
systemd-private-986a2b7b722a44609484cca902ae82d8-systemd-logind.service-itM3RO
systemd-private-986a2b7b722a44609484cca902ae82d8-systemd-resolved.service-VSE55D
systemd-private-986a2b7b722a44609484cca902ae82d8-systemd-timesyncd.service-4GMOUP

 

[Daniel_Dog]

Dec 17 04:00:15 da-de systemd[1]: Starting apt-daily.service - Daily apt download activities...
Dec 17 04:00:18 da-de CRON[1620655]: pam_unix(cron:session): session closed for user **user**
Dec 17 04:00:18 da-de pure-ftpd[1620721]: ([email protected]) [INFO] New connection from 216.245.221.83
Dec 17 04:00:18 da-de pure-ftpd[1620721]: ([email protected]) [INFO] Logout.
Dec 17 04:00:34 da-de systemd[1]: apt-daily.service: Deactivated successfully.
Dec 17 04:00:34 da-de systemd[1]: Finished apt-daily.service - Daily apt download activities.
Dec 17 04:00:34 da-de systemd[1]: apt-daily.service: Consumed 13.322s CPU time.