"php.generic.malware" issue?

7 posts by 4 authors in: Forums > CMS Builder
Last Post: August 14, 2017   (RSS)

Hi, All.

My client just received the following email from their host. Have any of you come across anything similar? Any suggestions for how to deal with it, please?

I should point out that the site was created in 2011 and the CMS/templates haven't been touched since then. Some of the files referred to are specific to this website, but "php.generic.malware" seems to be a common issue on the list. Also, some of the files - indicated in red - are not part of CMSB, nor were they created by me or the client. I've deleted these from the server and that hasn't affected the performance of the site.

====

this is a courtesy email to inform you of infected website files under domain nithvalley.com. Netflash recommends the injected files be removed and/or replaced with clean originals. From past contact I understand Nithvalley uses a 3rd party web developer, you may want to forward them this information.

FILE HIT LIST:

{HEX}php.generic.malware.441 : /var/www/vhosts/nithvalley.com/httpdocs/portfolio-commercialDetails.php
{HEX}php.generic.malware.441 : /var/www/vhosts/nithvalley.com/httpdocs/cmsAdmin/data/schema/other_projects.ini.php
{HEX}php.generic.malware.441 : /var/www/vhosts/nithvalley.com/httpdocs/cmsAdmin/data/schema/services.ini.php
{HEX}php.generic.malware.439 : /var/www/vhosts/nithvalley.com/httpdocs/cmsAdmin/uploads/thumb2/files.php
{HEX}php.generic.malware.439 : /var/www/vhosts/nithvalley.com/httpdocs/cmsAdmin/uploads/thumb4/db76.php
{HEX}php.generic.malware.439 : /var/www/vhosts/nithvalley.com/httpdocs/cmsAdmin/lib/languages/menu57.php
{HEX}php.generic.malware.441 : /var/www/vhosts/nithvalley.com/httpdocs/cmsAdmin/lib/fieldtypes/parentCategory.php
{HEX}php.generic.malware.441 : /var/www/vhosts/nithvalley.com/httpdocs/blogDetails.php
{HEX}php.generic.malware.439 : /var/www/vhosts/nithvalley.com/httpdocs/commercial/start32.php
{HEX}php.generic.malware.439 : /var/www/vhosts/nithvalley.com/httpdocs/institutional/proxy3.php
{HEX}php.base64.v23au.186 : /var/www/vhosts/nithvalley.com/httpdocs/_notes/help.php
{HEX}php.base64.v23au.186 : /var/www/vhosts/nithvalley.com/httpdocs/_mm/ct3beta/messaging/start13.php

====

By ross - February 6, 2017

Hi there.

What I recommend first is having a read through this document on our site:

http://www.interactivetools.com/docs/cmsbuilder/how_to_restore_hacked_sites.html

It will go over different options on how to clean up an infected site.

I also recommend having a look at this Add-on:

http://www.interactivetools.com/add-ons/exploit-scanner/

It's a script you can use to find any infected file on your server.

Keep us up to date with how you are making out. 

Feel free to email me directly via consulting@interactivetools.com if you need a hand with any of this.

Thanks!

-----------------------------------------------------------
Cheers,
Ross Fairbairn - Consulting
consulting@interactivetools.com

Hire me! Save time by getting our experts to help with your project.
Template changes, advanced features, full integration, whatever you
need. Whether you need one hour or fifty, get it done fast with
Priority Consulting: http://www.interactivetools.com/consulting/

By ross - February 15, 2017

Hi there.

The plugin itself doesn't actually do any protecting.  

What the plugin does is scans every file on your server looking for any malicious code.  The plugin will let you know the full path to any file that seems to be infected and manually clean, remove or replace the file yourself.

Specifically with a trojan, I suspect the scanner will find the original file for you so it can be deleted.

Does that make sense?

Let me know any questions.

Thanks!

-----------------------------------------------------------
Cheers,
Ross Fairbairn - Consulting
consulting@interactivetools.com

Hire me! Save time by getting our experts to help with your project.
Template changes, advanced features, full integration, whatever you
need. Whether you need one hour or fifty, get it done fast with
Priority Consulting: http://www.interactivetools.com/consulting/

Ah, gotcha.

Thanks!

By celuch - August 11, 2017

I have also received several "possible malware" notices from GoDaddy in the last months, and in more than one case, it listed these files:

html/CMS/lib/login_functions.php

html/CMS/lib/menus/default/common.php

They appear to be normal files, but may there be an issue with them?  They all are on older, untouched sites, one of them running V2.50.  

If this is an issue I'll recommend updating the CMS on both.

Thanks!

celuch

By Dave - August 14, 2017

Hi celuch, 

Sometimes what malware does is modify the code in existing files without changing the modified date.  A couple things you could try: 

Hope that helps!

Dave Edis - Senior Developer
interactivetools.com