Strange Files in sites folder?

I have two strange files in frappe-bench/sites folder namely

  1. select apps.txt assets common_site_config.json currentsite.txt select workflow_state from tabSales Order toto from tabSales Order

  2. select workflow_state from tabSales Order

is this normal ?

No this is not. The following are the files you can expect to be there along with your site folder

  • apps.txt
  • common_site_config.json
  • currentsite.txt

You have to check you system logs or command history to see if someone with access to the server created this

I guess it is an some kind of attack because we have not created those files . What are possible troubleshooting options for that ?

On Ubuntu servers, you can find who logged in when (and from where) in the file /var/log/auth.log . There, you find entries like:

May  1 16:17:02 owl CRON[9019]: pam_unix(cron:session): session closed for user root
May  1 16:17:43 owl sshd[9024]: Accepted publickey for root from port 37384 ssh2
May  1 16:17:43 owl sshd[9024]: pam_unix(sshd:session): session opened for user root by (uid=0)

On Red Hat based distros such as Fedora/CentOS/RHEL you can check for the users logged in inside the file /var/log/secure

These logs will show you any access.

If you suspect any breach, I strongly recommend you to revoke all unknown keys from authorized keys. You can find the files in ~/.ssh/authorized_keys . However please make sure you remove only unknown keys, modifying the contents in this file wrongly can lock you out of your server permanently

I will check the logs and revert it to you also in ssh we have only one ssh key which is mine only.

I have checked the logs there is no such suspicions as i said there is no access with ssh access which have only one key . I think it something other than that .I will keep digging and let you know also , should we delete this post, because i guess there are some security concerns.

You don’t have to, it’s fine and does not posses a security risk

In that case, a breach is highly unlikely. Check the command history that was executed

Only one thing worries me that file contain the dump of few sql tables so i guess there is some thing.

You can consult with experts if you feel the need for it.