Nice commands to know:
su -c "/opt/otrs/bin/otrs.Console.pl" -s /bin/bash otrs = show all options su -c "/opt/otrs/bin/otrs.Console.pl Maint::Ticket::Dump #Ticket_id " -s /bin/bash otrs = Show ticket
su -c "/opt/otrs/bin/otrs.Console.pl Maint::Ticket::Delete --ticket-id #Ticket_id " -s /bin/bash www-data = Delete by Ticket ID (> Found in URL and in Database) = www-data User is the owner of attachments!
su -c "/opt/otrs/bin/otrs.Console.pl Maint::Ticket::Delete --ticket-id #Ticket_Number " -s /bin/bash www-data = Delete by Ticket Number (as seen in GUI) = www-data User is the owner of attachments!
Its important for removal of the attachments to use a Linux User with correct permissions.
How to find ticket ids:
Via GUI in the URL or via Malware lists: First find id: (ID before a Filename) /pathto/article/2018/01/01/100005/UPS_Lieferschein_with_malware.zip
Use a Mysql tool to get rm command with correct ID
below commented ticket id can be used to view tickets via https://tickets.domain/otrs/index.pl?Action=AgentTicketZoom;TicketID=230862 (the ticket_id from SQL Call)
SQL Call with example IDs and commented Options 4 Checks:
SELECT
#id,ticket_id,
#CONCAT ('su -c "/opt/otrs/bin/otrs.Console.pl Maint::Ticket::Dump ',ticket_id,'" -s /bin/bash otrs'),
CONCAT ('su -c "/opt/otrs/bin/otrs.Console.pl Maint::Ticket::Delete --ticket-id ',ticket_id,'" -s /bin/bash www-data')
FROM `article`
WHERE
`id` = '#anumberseeninfiles'
OR `id` = '#anothernumberseeninfiles'
OR `id` = '#andanother'
You get
su -c "/opt/otrs/bin/otrs.Console.pl Maint::Ticket::Delete --ticket-id #the_ticket_id" -s /bin/bash www-data
su -c "/opt/otrs/bin/otrs.Console.pl Maint::Ticket::Delete --ticket-id #another_ticket_id" -s /bin/bash www-data
su -c "/opt/otrs/bin/otrs.Console.pl Maint::Ticket::Delete --ticket-id #andanother_ticket_id" -s /bin/bash www-data
Use it in bash CL