I have two strange files in frappe-bench/sites folder namely
-
select apps.txt assets common_site_config.json currentsite.txt select workflow_state from tabSales Order toto from tabSales Order
-
select workflow_state from tabSales Order
is this normal ?
No this is not. The following are the files you can expect to be there along with your site folder
- apps.txt
- common_site_config.json
- currentsite.txt
You have to check you system logs or command history to see if someone with access to the server created this
I guess it is an some kind of attack because we have not created those files . What are possible troubleshooting options for that ?
On Ubuntu servers, you can find who logged in when (and from where) in the file /var/log/auth.log
. There, you find entries like:
May 1 16:17:02 owl CRON[9019]: pam_unix(cron:session): session closed for user root
May 1 16:17:43 owl sshd[9024]: Accepted publickey for root from 192.168.0.101 port 37384 ssh2
May 1 16:17:43 owl sshd[9024]: pam_unix(sshd:session): session opened for user root by (uid=0)
On Red Hat based distros such as Fedora/CentOS/RHEL you can check for the users logged in inside the file /var/log/secure
These logs will show you any access.
If you suspect any breach, I strongly recommend you to revoke all unknown keys from authorized keys. You can find the files in ~/.ssh/authorized_keys
. However please make sure you remove only unknown keys, modifying the contents in this file wrongly can lock you out of your server permanently
I will check the logs and revert it to you also in ssh we have only one ssh key which is mine only.
I have checked the logs there is no such suspicions as i said there is no access with ssh access which have only one key . I think it something other than that .I will keep digging and let you know also , should we delete this post, because i guess there are some security concerns.
You don’t have to, it’s fine and does not posses a security risk
In that case, a breach is highly unlikely. Check the command history that was executed
Only one thing worries me that file contain the dump of few sql tables so i guess there is some thing.
You can consult with experts if you feel the need for it.