Imunify AV malware scanner

friv

• January 28, 2022 14:41

Hello After scanning with imunify AV from Cpanel i see 13 detected malwares. So, now my question is : Is this accurate that he recognized a real malwares or? . I do not know if i can erase that files if is malware. Please check attachment. Thanks

• 

  quietFinn

  • January 28, 2022 20:02

  There is not supposed to be any PHP files in that directory, it should be safe to remove it. If you look what is in that file you will most likely see typical malware.

  0
• 

  friv

  • January 28, 2022 20:07

  There is not supposed to be any PHP files in that directory, it should be safe to remove it. If you look what is in that file you will most likely see typical malware.

  
  Thanks quietFinn to answer me. Can you please check again now screenshot i have update right now. So,with your opinion i should delete in every infected file only last word example meta.php ,cphordem.php ..... etc. or i need to remove whole folder? Thanks again

  0
• 

  cPRex Jurassic Moderator

  • January 28, 2022 20:07

  Hey there! While the .cphorde/meta directory does exit inside /home/username, I would not expect it to be present inside the public_html directory. Normally this directory only contains the horde database files, and I'm not finding much online for the metap.php file. I'm guessing this is some type of malware content on the machine. I would examine the PHP file to see what is in there before deleting the content, but anything in public_html would not be related to the Horde files that cPanel uses on the machine. If you'd like to submit a ticket to our team we can check the PHP file for you.

  0
• 

  quietFinn

  • January 28, 2022 20:16

  Hey there! While the .cphorde/meta directory does exit inside /home/username, I would not expect it to be present inside the public_html directory. Normally this directory only contains the horde database files, and I'm not finding much online for the metap.php file.

  
  Didn't notice it was in public_html directory o_O

  Can you please check again now screenshot i have update right now. So,with your opinion i should delete in every infected file only last word example meta.php ,cphordem.php ..... etc. or i need to remove whole folder? Thanks again

  
  There seems to be a few folders that must not be in public_html folder, but in the account's root folder. You should remove those folders.

  0
• 

  friv

  • January 28, 2022 20:42

  Didn't notice it was in public_html directory o_O There seems to be a few folders that must not be in public_html folder, but in the account's root folder. You should remove those folders.

  
  You mean to remove those files form public_html folder when i tick "show hidden files" right?

  0
• 

  cPRex Jurassic Moderator

  • January 28, 2022 20:50

  The whole .cphorde would be a hidden file/directory since the "." is what makes it hidden.

  0
• 

  friv

  • January 28, 2022 20:54

  The whole .cphorde would be a hidden file/directory since the "." is what makes it hidden.

  
  When i tick "Show hidden files" then i see .cphorde outside of public_html and inside public_html. And when i untick "Show hidden files" i can't see .cphorde. (which is normal)

  0
• 

  quietFinn

  • January 28, 2022 20:58

  In the picture you posted there are folders public_html/.cphorde & public_html/.cpanel, remove those folders.

  0
• 

  cPRex Jurassic Moderator

  • January 28, 2022 21:01

  ^ That sounds correct to me.

  0
• 

  friv

  • January 28, 2022 21:05

  In the picture you posted there are folders public_html/.cphorde & public_html/.cpanel, remove those folders.

  
  Ok thanks. Now i have erased .cphorde and .cpanel folders from public_html Please check now again screenshot what i need to remove more from public_html. ( Just to mention, screenshot i made when i tick "Show hidden files")

  0
• 

  cPRex Jurassic Moderator

  • January 28, 2022 21:09

  That looks more normal to me, although I'm not sure with the "imh" directory is. It could be something unique to your environment, but I don't see that on a standard cPanel system.

  0
• 

  friv

  • January 28, 2022 21:11

  That looks more normal to me, although I'm not sure with the "imh" directory is. It could be something unique to your environment, but I don't see that on a standard cPanel system.

  
  That's right cPRex "imh" is strange folder,hm.... I will delete him too,and if something goes wrong will back from trash. What you think?

  0
• 

  cPRex Jurassic Moderator

  • January 28, 2022 21:16

  You can always create an account backup too before you delete files, but it doesn't hurt to examine the files in there before removal.

  0
• 

  friv

  • January 28, 2022 21:26

  You can always create an account backup too before you delete files, but it doesn't hurt to examine the files in there before removal.

  
  Now scanner is showing that there is no infected files ( Error, file not found ) after removing them. Now i am wondering if you can check again screenshot but this is outside public_html, and if you can tell me is this ok to those folders stay outside public_html,or this is maybe injected as malware too? (Maybe scanner can't detect malware outside of public_html)

  0
• 

  cPRex Jurassic Moderator

  • January 28, 2022 21:31

  The only files placed in public_html by cPanel when an account is created are the following: [root@host public_html]# ll total 48K drwxr-x---. 3 cptest cptest 4.0K Jan 28 17:30 . drwx--x--x. 11 cptest cptest 4.0K Jan 28 17:30 .. -rw-r--r--. 1 cptest cptest 229 Jan 28 17:30 400.shtml -rw-r--r--. 1 cptest cptest 207 Jan 28 17:30 401.shtml -rw-r--r--. 1 cptest cptest 203 Jan 28 17:30 403.shtml -rw-r--r--. 1 cptest cptest 204 Jan 28 17:30 404.shtml -rw-r--r--. 1 cptest cptest 216 Jan 28 17:30 413.shtml -rw-r--r--. 1 cptest cptest 243 Jan 28 17:30 500.shtml drwxr-xr-x. 2 cptest cptest 4.0K Jan 28 17:30 cgi-bin -rw-r--r--. 1 cptest cptest 11K Jan 28 17:30 cp_errordocument.shtml
  Anything else is either from your website software, or was manually put there by a user.

  0
• 

  friv

  • January 28, 2022 21:41

  The only files placed in public_html by cPanel when an account is created are the following: [root@host public_html]# ll total 48K drwxr-x---. 3 cptest cptest 4.0K Jan 28 17:30 . drwx--x--x. 11 cptest cptest 4.0K Jan 28 17:30 .. -rw-r--r--. 1 cptest cptest 229 Jan 28 17:30 400.shtml -rw-r--r--. 1 cptest cptest 207 Jan 28 17:30 401.shtml -rw-r--r--. 1 cptest cptest 203 Jan 28 17:30 403.shtml -rw-r--r--. 1 cptest cptest 204 Jan 28 17:30 404.shtml -rw-r--r--. 1 cptest cptest 216 Jan 28 17:30 413.shtml -rw-r--r--. 1 cptest cptest 243 Jan 28 17:30 500.shtml drwxr-xr-x. 2 cptest cptest 4.0K Jan 28 17:30 cgi-bin -rw-r--r--. 1 cptest cptest 11K Jan 28 17:30 cp_errordocument.shtml
  Anything else is either from your website software, or was manually put there by a user.

  
  That is clear for me how look like public_html by default. But we are talking here about when "Show hidden files" are ticked :) For now, according to the scanner,files are removed. Now, i will see what is happening,if malware will appear again or not. Btw thanks for great and amazing support. I really appreciate your help .

  0
• 

  cPRex Jurassic Moderator

  • January 28, 2022 21:43

  That *is* with show hidden files - we don't put anything else inside public_html by default other than what I listed.

  0

Please sign in to leave a comment.