Strange Files in sites folder?

jtarun4625 · May 1, 2020, 7:49am

I have two strange files in frappe-bench/sites folder namely

select apps.txt assets common_site_config.json currentsite.txt select workflow_state from tabSales Order toto from tabSales Order
select workflow_state from tabSales Order

is this normal ?

scmmishra · May 1, 2020, 8:24am

No this is not. The following are the files you can expect to be there along with your site folder

apps.txt
common_site_config.json
currentsite.txt

You have to check you system logs or command history to see if someone with access to the server created this

jtarun4625 · May 1, 2020, 8:38am

I guess it is an some kind of attack because we have not created those files . What are possible troubleshooting options for that ?

scmmishra · May 1, 2020, 8:42am

On Ubuntu servers, you can find who logged in when (and from where) in the file /var/log/auth.log . There, you find entries like:

May  1 16:17:02 owl CRON[9019]: pam_unix(cron:session): session closed for user root
May  1 16:17:43 owl sshd[9024]: Accepted publickey for root from 192.168.0.101 port 37384 ssh2
May  1 16:17:43 owl sshd[9024]: pam_unix(sshd:session): session opened for user root by (uid=0)

On Red Hat based distros such as Fedora/CentOS/RHEL you can check for the users logged in inside the file /var/log/secure

These logs will show you any access.

If you suspect any breach, I strongly recommend you to revoke all unknown keys from authorized keys. You can find the files in ~/.ssh/authorized_keys . However please make sure you remove only unknown keys, modifying the contents in this file wrongly can lock you out of your server permanently

jtarun4625 · May 1, 2020, 8:53am

I will check the logs and revert it to you also in ssh we have only one ssh key which is mine only.

jtarun4625 · May 1, 2020, 12:55pm

I have checked the logs there is no such suspicions as i said there is no access with ssh access which have only one key . I think it something other than that .I will keep digging and let you know also , should we delete this post, because i guess there are some security concerns.

scmmishra · May 1, 2020, 12:58pm

You don’t have to, it’s fine and does not posses a security risk

In that case, a breach is highly unlikely. Check the command history that was executed

jtarun4625 · May 1, 2020, 1:00pm

Only one thing worries me that file contain the dump of few sql tables so i guess there is some thing.

scmmishra · May 6, 2020, 4:04pm

You can consult with experts if you feel the need for it.