How to delete "uploads/-/system/temp/" files

Running gitlab-ce-15.8.1-ce.0.el7.x86_64 on Oracle Linux 7.9

A recent Defender security scanner picked up some files in


like this:

-rw-r–r-- 1 git git 182 Jul 8 2021 ./a415854b8ac8b861b44d67ad88086b0b/dog.jpg

There are several of these files. Two from Jul 2021 and some more from Oct 28 2021.

The files are shell scripts and obviously malicious. From analysis of the systems lastcomm logs I know these scripts have not been run in the last month. I have no idea if they succeeded in 2021.

My questions are, is it safe to simply delete these files?
Will it corrupt anything by deleting them?

It would also be useful to work out which user made these uploads.

Defender quarantined (deleted) the 2 it found, but it missed several others.

I’ve tried, to no avail, the recipes at: Clean up Rake tasks

Thanks in advance!

They won’t have been uploaded by a valid user on your system, rather they were uploaded when there was a vulnerability in Gitlab that allowed it to do that.

You would have known if they were successful, since they ran CPU miners - processes usuallly pretending to be java or something else running as the git user. So if you don’t have CPU miners running and consuming your CPU, then this won’t be an issue.

I believe they are safe to delete since nothing in Gitlab will rely on them.

1 Like