Cant delete infected htaccess file

smeko

• January 19, 2021 07:03

Hi all, I have a web hosting shared server and while i was scanning the users for any infected file using imunifyAV i noticed one htaccess file is infected. I tried deleting this file but when i rescan this user i see that this file exist yet, even though it was deleted before. It seem like it is generated from another script maybe. The script within this infected htaccess file is as below: Options FollowSymLinks MultiViews Indexes ExecCGI AddType application/x-httpd-cgi .cl4 AddHandler cgi-script .cl4 AddHandler cgi-script .cl4 I tried changin the premissions of this file and delete it again but it didnt work. Hope you will help me handling this. Thanks Silvi

• 

  kodeslogic

  • January 19, 2021 13:53

  Have you confirmed with your hosting provider that the htaccess file has the correct ownership, if you are using the shred using? If you have root access to the server then you should make sure that the ownership of the htaccess file is the username of the cPanel account.

  0
• 

  cPRex Jurassic Moderator

  • January 19, 2021 20:05

  Good points, @kodeslogic :D

  0
• 

  smeko

  • January 20, 2021 11:46

  Hi, i am administrator of this shared server but i am facing this problem for the first time. How can i check ownership of this file and make changes? Silvi

  0
• 

  smeko

  • January 20, 2021 11:59

  Hi again, I checked that the owner is the cpanel user frow which im trying to delete this file: Output as below: -rw-rw-r-- 1 username username 153 Dec 11 2013 .htaccess So why i dont have access anyway Silvi

  0
• 

  cPRex Jurassic Moderator

  • January 20, 2021 13:13

  If that is the correct cPanel username I would expect you to be able to manipulate that file. It's possible there are special permissions on that file and you could check that by running this: lsattr .htaccess
  One interesting thing I found is that .cl4 files are data files created and handled by the Easy CD Creator software tool, which primarily gets used in Windows. I wouldn't expect that to be found on a Linux server, and it's definitely not something I'd expect to be created by default. You mentioned you are the admin - do you have root access to WHM or only access to the one user on the machine? If you have root access to the entire system, you're always welcome to submit a support ticket to our team so we can take a look. If not, speaking with your hosting provider about this would be the best way to get more details on what may be happening.

  0

Please sign in to leave a comment.