Can't delete infected file
I have a file index.php infected with @eval(base64_decode virus. The file permisions are 444 and changing them from cpanel or chmod doesn't work. The permissions revert back to 444 read only.
Deleting the file from cpanel or rm -rf doesn't work either. After refresh the file is still there. How can you guys help me. Can't install Joomla(The index.php file is a wordpress one).
Why can't I delete the file even as root(it comes back). NB: File is not immutable.
Last modification date is Jul 29, 2017 and this date doesn't change.
If I upload a new index.php file it gets overwritenn by this crazy virus. Someone help me before I die of frustration.
-
The following needs to be run by the root user Use lsattr -d on the folder containing your index.php file, to test if the folder itself has -a or -i flag set, which you will have to remove first. Once you have the folder clear, use lsattr to test the file itself for the presence of an a or i flag You can them remove the flag with chattr eg: # chattr -i [filename] # chattr -a [filename] 0 -
It has no attributes 0 -
If neither the containing folder nor the file have attributes set, you may have a bigger problem. That would seem to indicate that you are successfully deleting the file, but something is then immediately regenerating it. You might have to start a server wide forensic investigation as to what keeps regenerating this file, and how it got into the server, and how it might be removed. Good luck. 0 -
Was able to delete it after changing the account username. Still watching to see if the problem may come back 0 -
Hi @makosa2018 I'm glad to hear you were able to resolve the issue. I would still recommend doing a full security audit on the files/folders located within the user's home directory as suggested by @rpvw Thanks! 0 -
Hi there. I have the same issue with my site. My index.php contains the base64 string with 444 permission and each time I try to delete/edit the file, it just reverts back to the infected version. I am really curious how this could be regenerating itself. I figured maybe there was another file elsewhere which was being accessed every few seconds which would create the index file but I tried blocking access to the site with htaccess and still unable to delete the file. I have checked all other files and removed removed anything unnecessary so I am fairly certain this last file is the only remaining. Does anyone know what could be causing this? Also I do not see an option to change user account name. 0 -
HI @Ian Jackson If it continues to come back after you've removed it, you have not removed the source of the infection. I would suggest if you're using a CMS to remove all plugins/themes/components etc., that aren't being used or are potentially vulnerable. You may also want to look at using a Malware scanner like ClamAV or Linux Malware Detect. Ultimately if you're unable to identify the source you may also want to contact your provider for assistance and/or enlist the assistance of a qualified system administrator. If you don't have one you might find one here: System Administration Services | cPanel Forums Thanks! 0 -
I would also recommend checking existing cron jobs for the user. 0 -
Hello all, I know this is a bit old thread, but I see that there was never a reply back that really resolved the issue. This issue is caused by "web designers" that use nulled themes or cracked plugins inside wordpress. There is no free lunch. As a system admin, I saw this issue before and can confirm this is a "virus automation" from wordpress infected website (admin part). I also removed it without cleared the entire account, but I can say the website is infected and need to be entirely deleted/replaced, with some another folders/files. IMPORTANT - If you don"t have backups, its hard, but you lost your website, and have your e-mails inside "mail" folder at risk. To resolve this issue: 1- List all .php files inside /home/domain/ "forward". For that, use as root or terminal: find . -type f -name '*.php' -printf '%TY-%Tm-%Td %TT %p\n' | sort 2- Suspend temporarely the account from WHM. As the automation is "running" at server memory, it will not stop itself and will rebuild the index.php file (and its subfiles in another folders) any time you try to delete it. 3- With the account suspended, as root (SSH) or in WHM, access the terminal (or file manager in Cpanel, via WHM) and delete all .php files related to these folders (including the entire wordpress website files) - PHP inside Folders: /tmp (and it subfolders) and .trash - From public_html, you finally delete the index.php file, and all wordpress website files (literally). 4- Renew the website database at phpmyadmin (website/wordpress .sql file) with a good backup either. 5 - Remove domain suspension at WHM and bring the domain up again. 6- Put the new (or backup) wordpress files back at public_html. 7- Enter in your website (wp-admin) and review your themes/plugins. If you website was made with cracked/nulled themes or plugins, youll get infected again soon. I hope it helps! Cheers! 0 -
Hello all, I know this is a bit old thread, but I see that there was never a reply back that really resolved the issue. This issue is caused by "web designers" that use nulled themes or cracked plugins inside wordpress. There is no free lunch. As a system admin, I saw this issue before and can confirm this is a "virus automation" from wordpress infected website (admin part). I also removed it without cleared the entire account, but I can say the website is infected and need to be entirely deleted/replaced, with some another folders/files. IMPORTANT - If you don"t have backups, its hard, but you lost your website, and have your e-mails inside "mail" folder at risk. To resolve this issue: 1- List all .php files inside /home/domain/ "forward". For that, use as root or terminal: find . -type f -name '*.php' -printf '%TY-%Tm-%Td %TT %p\n' | sort 2- Suspend temporarely the account from WHM. As the automation is "running" at server memory, it will not stop itself and will rebuild the index.php file (and its subfiles in another folders) any time you try to delete it. 3- With the account suspended, as root (SSH) or in WHM, access the terminal (or file manager in Cpanel, via WHM) and delete all .php files related to these folders (including the entire wordpress website files) - PHP inside Folders: /tmp (and it subfolders) and .trash - From public_html, you finally delete the index.php file, and all wordpress website files (literally). 4- Renew the website database at phpmyadmin (website/wordpress .sql file) with a good backup either. 5 - Remove domain suspension at WHM and bring the domain up again. 6- Put the new (or backup) wordpress files back at public_html. 7- Enter in your website (wp-admin) and review your themes/plugins. If you website was made with cracked/nulled themes or plugins, youll get infected again soon. I hope it helps! Cheers!
This is a masterpiece investigation, thank you very much for your suggestion and workaround. I have not tried it yet but seems logical. One of my customers is having an identical situation. I noticed those null files right away after they published their website. Too bad for them but is well deserved.0
Please sign in to leave a comment.
Comments
10 comments