Skip to main content

Looking for Suspicious Files Question

Comments

5 comments

  • cPanelLauren
    For starters, dovecot index files are not suspicious files they appear this way because dovecot uses binary index and log files to improve performance accessing mail. In order to view the contents of the files, you would need to use doveadm [-Dv] dump [-t type] path
    This is explained in dovecot's wiki here: Tools/Doveadm/Dump - Dovecot Wiki But really you shouldn't need to make any changes to or use this as it's not necessarily used to troubleshoot any issues beyond something a dev might be doing to debug a coding issue with dovecot. If you're concerned you have malicious content on the server I'd suggest using a malware scanner such as ClamAv, Immunify360 or Linux Malware Detect. If you're unable to determine the source or if you don't feel comfortable with those tools, I'd suggest enlisting the assistance of a qualified system administrator. If you don't have one available you might find one here: System Administration Services. Thanks!
    0
  • Arslan Asghar
    Thank you very much Luaren for your response. It's just that my previous server was hacked and compromised and was being used for phishing and spamming so my team migrated it to a secure server but the issue still continues even on the new server. So, I just wanted to confirm that which specific file in the file directory was being used for phishing and spamming so that I could manually remove it.
    0
  • cPanelLauren
    If it's an account level compromise migrating to a new server won't resolve the issue in most cases. If you have a specific problematic account I'd start the search with the files in that account. Malware scanners should be able to get you pointed in the right direction but if you're using a CMS a really common method of compromise is to take advantage of vulnerable/outdated plugins/themes/components etc. and I would suggest evaluating any of those if present on the account. A qualified system administrator should also be able to tell you from looking at the domain access logs and server activity the origin of the attack as well.
    0
  • Arslan Asghar
    Thank You Lauren once again. The issue is that the hacker has copied malicious code on almost every domain on my server. And now both my IPs and some domains are blocked and my team is facing a lot of issues at the moment. Luaren is there any command that will run scan over the file directories of all my domains through CLAMAV scanner. Please help me with is if you can?
    0
  • cPanelLauren
    You can use ClamAV to scan all users the documentation here goes over how to configure it: Configure ClamAV Scanner - Version 82 Documentation - cPanel Documentation If you prefer to use the command line interface to run ClamAV, the binaries reside in the /usr/local/cpanel/3rdparty/bin/ directory:
    1 2 3 /usr/local/cpanel/3rdparty/bin/clamscan /usr/local/cpanel/3rdparty/bin/clamdscan /usr/local/cpanel/3rdparty/bin/freshclam
    0

Please sign in to leave a comment.