.suspected file
Hi All,
I am facing issue with one file under my server. File is getting renamed automatically as filename.php.suspected. I did renamed file back to original but it is getting renamed almost daily to .suspected.
Maldetect scanner and clamAV is installed on the server. But in their logs nothing is showing. I have went through almost every settings on server but not found how file is getting renamed with extension ".suspected".
Please anyone can help me.
-
The thread infopro linked is relevant. It's not maldet or clamav doing the re-naming, it's the actual malware on the site. Until you get to the bottom of it (or rebuild your site) it's not going to go away. 0 -
The thread infopro linked is relevant. It's not maldet or clamav doing the re-naming, it's the actual malware on the site. Until you get to the bottom of it (or rebuild your site) it's not going to go away.
hello, I did the malware scan using multiple tools but not found any infection or malwares in files. Is there any other reason for this?0 -
Hello, You may want to consider backing up WordPress and then reinstalling/restoring a new copy: WordPress Backups " WordPress Codex Thank you. 0 -
This malware is very dynamic, and often evades tools like clamscan or maldet (clamscan sometimes finds parts of it but not all). When in doubt, follow the advice of cPanelMichael above: back up your database and media files, and reinstall wordpress. 0 -
Thank you cPanelMichael & quizknows. But unfortunately it is not a wordpress site. It is custom PHP application. I have also downloaded all files on computer and scanned with anti-virus but no luck :( File is getting renamed as .suspected every day. 0 -
You may need to consult with a qualified system administrator if it's a custom script and you are unable to determine what causes this to keep happening. You can find a list of system administration services at: System Administration Services Thank you. 0 -
You need to keep an eye on the domain access logs. Get the modify and change times of the file (use the "stat" command) before you do anything with it. Reference the change and modified times of the .suspected file to your apache access logs for the domain. You should find suspect POST requests to whatever file has the backdoor being used to change the other file(s). You may have to repeat this process a few times to find all of the infected files. 0 -
Thanks, I will check access logs and investigate further. 0 -
hi all, I have gone through each and every possibilities on the server and website scripts, databases. but nothing found that is renaming the file to .suspected. I think I will have to re-create my website. Still anybody have same issue and know the resolution please help me. 0 -
At this point if you are unable to track it down, recreating the site is your best option unless you want to hire someone to investigate the infection. Personally I'd just rebuild the site. 0 -
hi all, I have gone through each and every possibilities on the server and website scripts, databases. but nothing found that is renaming the file to .suspected. I think I will have to re-create my website. Still anybody have same issue and know the resolution please help me.
What I did having the same issue tcpdf.php.suspected I set up a cron and copied a clean file in the directory every so many minutes - then I searched for the culprit until I found a malware hacker files and removed them. The thing that caught my attention was that the directory did NOT have any permissions to them and the files. They were locked down with a sticky Bit and were difficult to remove. But I did and I'm still looking for the way he got in. I found some info that he is from Nigeria and he focused on being a bank trying to get USA money.0
Please sign in to leave a comment.
Comments
12 comments