"php.generic.malware" issue?
7 posts by 4 authors in: Forums > CMS Builder
Last Post: August 14, 2017 (RSS)
Hi, All.
My client just received the following email from their host. Have any of you come across anything similar? Any suggestions for how to deal with it, please?
I should point out that the site was created in 2011 and the CMS/templates haven't been touched since then. Some of the files referred to are specific to this website, but "php.generic.malware" seems to be a common issue on the list. Also, some of the files - indicated in red - are not part of CMSB, nor were they created by me or the client. I've deleted these from the server and that hasn't affected the performance of the site.
====
this is a courtesy email to inform you of infected website files under domain nithvalley.com. Netflash recommends the injected files be removed and/or replaced with clean originals. From past contact I understand Nithvalley uses a 3rd party web developer, you may want to forward them this information.
FILE HIT LIST:
{HEX}php.generic.malware.441 : /var/www/vhosts/nithvalley.com/httpdocs/portfolio-commercialDetails.php
{HEX}php.generic.malware.441 : /var/www/vhosts/nithvalley.com/httpdocs/cmsAdmin/data/schema/other_projects.ini.php
{HEX}php.generic.malware.441 : /var/www/vhosts/nithvalley.com/httpdocs/cmsAdmin/data/schema/services.ini.php
{HEX}php.generic.malware.439 : /var/www/vhosts/nithvalley.com/httpdocs/cmsAdmin/uploads/thumb2/files.php
{HEX}php.generic.malware.439 : /var/www/vhosts/nithvalley.com/httpdocs/cmsAdmin/uploads/thumb4/db76.php
{HEX}php.generic.malware.439 : /var/www/vhosts/nithvalley.com/httpdocs/cmsAdmin/lib/languages/menu57.php
{HEX}php.generic.malware.441 : /var/www/vhosts/nithvalley.com/httpdocs/cmsAdmin/lib/fieldtypes/parentCategory.php
{HEX}php.generic.malware.441 : /var/www/vhosts/nithvalley.com/httpdocs/blogDetails.php
{HEX}php.generic.malware.439 : /var/www/vhosts/nithvalley.com/httpdocs/commercial/start32.php
{HEX}php.generic.malware.439 : /var/www/vhosts/nithvalley.com/httpdocs/institutional/proxy3.php
{HEX}php.base64.v23au.186 : /var/www/vhosts/nithvalley.com/httpdocs/_notes/help.php
{HEX}php.base64.v23au.186 : /var/www/vhosts/nithvalley.com/httpdocs/_mm/ct3beta/messaging/start13.php
====
By ross - February 6, 2017
Hi there.
What I recommend first is having a read through this document on our site:
http://www.interactivetools.com/docs/cmsbuilder/how_to_restore_hacked_sites.html
It will go over different options on how to clean up an infected site.
I also recommend having a look at this Add-on:
http://www.interactivetools.com/add-ons/exploit-scanner/
It's a script you can use to find any infected file on your server.
Keep us up to date with how you are making out.
Feel free to email me directly via consulting@interactivetools.com if you need a hand with any of this.
Thanks!
Cheers,
Ross Fairbairn - Consulting
consulting@interactivetools.com
Hire me! Save time by getting our experts to help with your project.
Template changes, advanced features, full integration, whatever you
need. Whether you need one hour or fifty, get it done fast with
Priority Consulting: http://www.interactivetools.com/consulting/
Hi, Ross.
Would this plugin protect against Trojan horse viruses that have already affected site files on the server?
By ross - February 15, 2017
Hi there.
The plugin itself doesn't actually do any protecting.
What the plugin does is scans every file on your server looking for any malicious code. The plugin will let you know the full path to any file that seems to be infected and manually clean, remove or replace the file yourself.
Specifically with a trojan, I suspect the scanner will find the original file for you so it can be deleted.
Does that make sense?
Let me know any questions.
Thanks!
Cheers,
Ross Fairbairn - Consulting
consulting@interactivetools.com
Hire me! Save time by getting our experts to help with your project.
Template changes, advanced features, full integration, whatever you
need. Whether you need one hour or fifty, get it done fast with
Priority Consulting: http://www.interactivetools.com/consulting/
By celuch - August 11, 2017
I have also received several "possible malware" notices from GoDaddy in the last months, and in more than one case, it listed these files:
html/CMS/lib/login_functions.php
html/CMS/lib/menus/default/common.php
They appear to be normal files, but may there be an issue with them? They all are on older, untouched sites, one of them running V2.50.
If this is an issue I'll recommend updating the CMS on both.
Thanks!
By Dave - August 14, 2017
Hi celuch,
Sometimes what malware does is modify the code in existing files without changing the modified date. A couple things you could try:
- Compare the files to the original versions from your local dev server or the original zip
- Upgrade the CMS to the latest version
- Use our exploit scanner add-on to check for exploits: https://www.interactivetools.com/add-ons/exploit-scanner/
Hope that helps!
interactivetools.com