Strange Virus in Cpanel
-
You mentioned about WordPress, most likely the malicious files came from a bad WordPress plugin. You can try to scan the site using a WordPress plugin, like WordFence, and Imunify through WHM to scan the cPanel account's home directory. Once the malicious codes are removed, make sure you update the passwords, including your cPanel account's password. 0 -
I think You have not understood what I am saying. Forget my wordpress. I have deleted complete public_html folder and created new one. As soon as I refresh file manager in cpanel, I am getting new index.php file. I do not know from where its coming. 0 -
You mentioned about WordPress, most likely the malicious files came from a bad WordPress plugin. You can try to scan the site using a WordPress plugin, like WordFence, and Imunify through WHM to scan the cPanel account's home directory. Once the malicious codes are removed, make sure you update the passwords, including your cPanel account's password.
I think You have not understood what I am saying. Forget my wordpress. I have deleted complete public_html folder and created new one. As soon as I refresh file manager in cpanel, I am getting new index.php file. I do not know from where its coming.0 -
I think You have not understood what I am saying. Forget my wordpress. I have deleted complete public_html folder and created new one. As soon as I refresh file manager in cpanel, I am getting new index.php file. I do not know from where its coming.
This is probably NOT a cPanel issue but rather something that has to do with permissions on that index file OR a cronjob that re-creates it after you have delete it. It would be interesting to check the contents of that index.php in order to see if it's something malicious or just some default index. Thanks, Andrew0 -
Examining the content of the index.php file would be the only way to know for sure what that is. Can you see the data inside there? Are there any cron jobs running on that user account? 0 -
There are some viruses which gets replicated over to all folders as they run with permission 7 as user. Another case is that the Process is still running and You need to stop the PHP Process manually. There are 2 Options in my method to resolve this: 1. Go to Antivirus Plugin (Virus Scanner by ClamAV or Imunify360) and Scan the cPanel home folder for any Worm or Trojans. 2. Go to Select PHP Version and Change it to any other. This would break any process currently ongoing. Then revert back to original PHP Version.(If You do not have the option Select PHP Version, that means you are running on an OS Different than CloudLinux. In that case, Request your Hosting Provider to go to WHM> Process Manager> Kill all Processes for {User}) These both will surely get you out. Let me know if it still happens and then I'll suggest some different methods as well. 0 -
Hi all,
I encountered the same issue: 2 strange .JS files being created on certain parts of cPanel Filemanager Directory.
public_html/wp-content/cache/min/3rd-party
public_html/wp-content/cache/min/1
We have installed Wordfence Premium, and it shows 100% clean scan report, don't even mark it suspicious. Also on WHM Root, scanned it using ImunifyAV and it gave the same clean report.
Sucuri also provided an OK report, but some of our clients see an error while opening the site on their secure networks.
We removed all plugins, downloaded their fresh copies, uploaded them there, removed the theme, and uploaded the fresh copies. I refreshed the WordPress core, but the issue is the same: it creates two files with suspicious code.
On search, we found that it is a virus called SocGolish, which is not detectable by antivirus programs.
I'm going to try "ankeshanand" proposed solution, let's see if it works.
0 -
Kamran Shafi - I can confirm this isn't something that would be created by cPanel, so you would want to look into other options like what was mentioned above.
0 -
Thank you, @cPRex, for your response. I checked any file changes within cPanel Filemanager and found that this virus was injected into the "Active" theme's function.php file.
Around 140 websites got hit, and not all are on the same cPanel; we have been hosting these websites with multiple hosting companies. On checking, we learned that the caching plugin caused this error. Only those websites were safe from this plugin not being installed. However, it was strange that Premium Wordfence and Sucuri didn't find any issue and marked it safe.
This code was added to only the "Active" theme's function file. After removing this code, site is clean and AVAST, McAfee and other AV WebTrust is marking website safe and secure.
0 -
I'm glad you were able to get things cleaned up!
0 -
What caching plugin were you using on all of those sites that allowed that to happen? What version was of the caching plugin was running on those servers?
0
Please sign in to leave a comment.
Comments
11 comments