Can't delete or rename folders, plus infected files keep showing
Hello,
I really need some help with this :
- I can't empty the trash bin in File Manager
- I can't rename or delete some folders, I get this message: FileOp Failure: Failed to move 'Grande Salle' to trash (System Error: No such file or directory)
- Every day at 7 pm, lots of files are modified automatically, if they contain URL's, they are change to a pornographic and viagra pills URL.
-
If it's just one infected account, it's best to restore from a clean backup (that's why it's so important to take regular backups) and then work to update the website and platform and so on. If the whole server is compromised, you should re-install it from the clean backups. 0 -
If it's just one infected account, it's best to restore from a clean backup (that's why it's so important to take regular backups) and then work to update the website and platform and so on. If the whole server is compromised, you should re-install it from the clean backups.
Only 1 user infected, other 70 account are clean. But what do you mean by restore ? Terminate the user and recreate it ? Files and emails and stats and databases ?? Hope there is more peaceful way for this issue. Please I need your support because its a school website, students browsing mature content. This is inappropriate0 -
If something is automatically creating content at a certain time, it sounds likely that there is a malicious script on the domain that executes at that time. The best way to take care of this problem permanently would be what @ZenHostingTravis said - restore the entire site from a known-good backup. If you don't have a backup of the site available, you may need to work with a professional administrator to see if the site can be cleaned by someone who is familiar with security and account compromises. I would also recommend scanning the personal computer of any admin that may have had access to the site, as keylogging malware is a common way to steal passwords and get access. 0 -
If something is automatically creating content at a certain time, it sounds likely that there is a malicious script on the domain that executes at that time. The best way to take care of this problem permanently would be what @ZenHostingTravis said - restore the entire site from a known-good backup. If you don't have a backup of the site available, you may need to work with a professional administrator to see if the site can be cleaned by someone who is familiar with security and account compromises. I would also recommend scanning the personal computer of any admin that may have had access to the site, as keylogging malware is a common way to steal passwords and get access.
Thank you for your input, those are the precautions I took :- Upload clean backup of the website and app, but this procedure exclude databases and new uploads like images and PDFs.
- Searched databases for the Porn URL and I found only 1, now cleared.
- Changed the Passwords using Generated passwords.
- Now I'm deleting the folders and clearing Trash with FTP client like FZ
- But why I can't delete or rename folders from File Manager ?
- Any further precaustions steps you can add ?
0 -
There could be any number of reasons it's not working well from File Manager. Can you see what permissions and ownership the file(s) has that you can't delete? It's always hard to recommend precautions. If you're using something like WordPress for the site, it's best to keep it and all plugins up-to-date to avoid these issues. 0 -
There could be any number of reasons it's not working well from File Manager. Can you see what permissions and ownership the file(s) has that you can't delete? It's always hard to recommend precautions. If you're using something like WordPress for the site, it's best to keep it and all plugins up-to-date to avoid these issues.
Yes, now updating the plugins from of the backups. Permission : 0755 How do I see the ownership of those sticky folders ?0 -
As long as that's the correct cPanel user, that wouldn't be the issue then. Do the items you're trying to delete also show up in SSH? If so, them I'm not sure why they could be removed through file manager. 0 -
As long as that's the correct cPanel user, that wouldn't be the issue then. Do the items you're trying to delete also show up in SSH? If so, them I'm not sure why they could be removed through file manager.
I use Terminal in WHM to SSH, I browsed this infected user, the sticky folders are there. Any suggestion why I can't remove them from File Manager ? This is the error I get :FileOp Failure on: /home/user/public_html/path/Grande Salle: No such file or directory0 -
Can you run these commands from the Terminal application to get more details on that file? ls -lah /home/user/public_html/path/Grande Salle lsattr /home/user/public_html/path/Grande Salle
It may help to tab-complete those file names so the space is properly executed in bash.0 -
Can you run these commands from the Terminal application to get more details on that file?
ls -lah /home/user/public_html/path/Grande Salle lsattr /home/user/public_html/path/Grande Salle
It may help to tab-complete those file names so the space is properly executed in bash.
total 288K drwxr-xr-x 5 user user 135 Jul 18 2020 . drwxr-xr-x 9 user user 153 Feb 12 15:15 .. -rw-r--r-- 1 user user 1.3K Sep 13 2019 index.html drwxr-xr-x 4 user user 105 Jul 18 2020 panos drwxr-xr-x 2 user user 4.0K Jul 18 2020 plugins drwxr-xr-x 2 user user 4.0K Jul 18 2020 skin -rw-r--r-- 1 user user 2.2K Sep 13 2019 tour_editor.html -rw-r--r-- 1 user user 158K Sep 13 2019 tour.js -rw-r--r-- 1 user user 106K Sep 13 2019 tour.swf -rw-r--r-- 1 user user 2.2K Sep 13 2019 tour.xml
and ..[root@server v105]# lsattr /home/user/public_html/v105/3_2\ Grande\ Salle\ du\ Coll?ge/ ---------------- /home/user/public_html/v105/3_2 Grande Salle du Coll?ge/index.html ---------------- /home/user/public_html/v105/3_2 Grande Salle du Coll?ge/panos ---------------- /home/user/public_html/v105/3_2 Grande Salle du Coll?ge/plugins ---------------- /home/user/public_html/v105/3_2 Grande Salle du Coll?ge/skin ---------------- /home/user/public_html/v105/3_2 Grande Salle du Coll?ge/tour.js ---------------- /home/user/public_html/v105/3_2 Grande Salle du Coll?ge/tour.swf ---------------- /home/user/public_html/v105/3_2 Grande Salle du Coll?ge/tour.xml ---------------- /home/user/public_html/v105/3_2 Grande Salle du Coll?ge/tour_editor.html0 -
That all looks normal to me, so I'm not sure why the removal through File Manager wouldn't work well. The only guess I have would be that the file didn't exist by the time you accessed it in the interface since it was being manipulated by the malicious script, but that is a complete guess. 0 -
That all looks normal to me, so I'm not sure why the removal through File Manager wouldn't work well. The only guess I have would be that the file didn't exist by the time you accessed it in the interface since it was being manipulated by the malicious script, but that is a complete guess.
I'm afraid I have to destroy the user account and restore everything, emails, database, etc.. if you have other possibilities to share plz let me know.0 -
Excuse me for this questions, but whats the difference between Owner / Group 1112 / 1114 and Owner Group 1112 / 99 ? 0 -
For this situation I do agree restoring a backup would be the best way to ensure there is no more malicious code present on the site. In the user example you provided, the different group ID would indicate the group ownership is the Apache "nobody" user, which is normal for the public_html directory to have depending on the server settings and PHP handler. 0 -
For this situation I do agree restoring a backup would be the best way to ensure there is no more malicious code present on the site. In the user example you provided, the different group ID would indicate the group ownership is the Apache "nobody" user, which is normal for the public_html directory to have depending on the server settings and PHP handler.
Why all directories have the User / Group 1112 / 1114, but only 1 folder have this Owner Group 1112 / 99 ?? I'm afraid someone created the app also create a special permission to modify the account directories. Because this developer worked only on this 1112 / 99 folder and the deal didn't end up peacefully with him.0 -
Anyway, I restored everything and still cannot delete or rename a folder. i tried to simply delete the twentytwenty theme from a fresh wordpress install.. still having the same problem. FileOp Failure on: /home/user/public_html/wp-content/themes/twentytwenty: No such file or directory
Could this be something related to cPanel configuration ? rather than something malicious.0 -
@psytanium - at this point it would be best to open a ticket to have us examine the system directly so we can test that on our end. If you do that, can you post the ticket number here so I can follow along and keep the community updated with our findings? 0 -
Submitted. Ticket number 94241570 0 -
Just to update the case. The error when Delete / edit / rename files / folders is fixed when I restored the account to a previous and clean backup. and with the support of cPanel team, we found some folders with permission 777, changed to 755. Big thanks :) 0 -
I'm glad you were able to get that resolved! 0
Please sign in to leave a comment.
Comments
22 comments