I’m running Urbackup on 4 Ubuntu 18.04 Servers, all of which have MalwareBytes running on. I have the directory where I store the backup data excluded, and have on demand scans run daily. On one of the servers it detects the following threats:
Trojan.Backdoor.Abafar /tmp/cps.kQKFuQ
Trojan.Generic.Screencap /tmp/cps.zwcg3S
I see alot of files with the cps.xxxxxx naming scheme, but don’t know what they do other than they are owned by urbackup:urbackup. I’m sure it’s nothing, and I should probably be good to whitelist the files, but was just wondering if anyone else had ran into anything similiar, couldn’t find anything by searching the forum. Thanks.
In this case it might be best to establish a separate temporary location, such as /tmp/urbackup/, so you can allow-list the temporary backup files without opening up the whole /tmp hierarchy. There is no fear that UrBackup will execute the contents of these files, and having accurate copies may help with forensics if you encounter actual malware. It also helps the backup speed. In my Windows backup locations, having the UrBackup program files, the Client backup data folder, and the temporary folder (C:\Windows\Temp\urbackup_client_tmp) excluded from local scans makes a noticeable difference in backup times.
I’m also a fan of putting the UrBackup Server directory and temporary files on an SSD for improved performance and quota management, as each file may be checksummed and looked up in the file database - both of which benefit from faster I/O.