Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Can not upload zip files - Virus detected

Discussion in 'User Experience' started by musioc, Dec 25, 2016.

  1. musioc

    musioc Well-Known Member

    Joined:
    Aug 4, 2011
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    66
    Hello dears
    Merry Christmas :)

    I can not upload this file via cpanel file manager
    Error:
    I checked file , Many antivirus marked it as OK, No virus detected.
    This problem occurs for other servers and also other zip files.
    When I unzip files and upload one by one, cpanel upload them without any issue.

    This is the zip file: - Removed -
    We use cloudlinux 6.x and 7.x x86_64 with latest cpanel/whm (release) version
    I have root access

    Regards
     
    #1 musioc, Dec 25, 2016
    Last edited by a moderator: Dec 25, 2016
  2. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    334
    Likes Received:
    95
    Trophy Points:
    28
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Clamscan of your file vendor.zip results in :
    Code:
    # clamscan -ia ~/vendor.zip
    ~/vendor.zip!ZIP:vendor/phpdocumentor/type-resolver/phpmd.xml.dist!...!(72)ZIP:vendor/symfony/console/Resources/bin/hiddeninput.exe: Win.Trojan.Toa-5372190-0 FOUND
    ~/vendor.zip: Win.Trojan.Toa-5372190-0 FOUND
    
    ----------- SCAN SUMMARY -----------
    Known viruses: 5389274
    Engine version: 0.99.2
    Scanned directories: 0
    Scanned files: 1
    Infected files: 1
    Data scanned: 9.09 MB
    Data read: 7.87 MB (ratio 1.16:1)
    Time: 15.690 sec (0 m 15 s)
    After unzipping (on a linux box) the resulting clamscan shows:
    Code:
    # clamscan -ir ~/vendor
    
    ----------- SCAN SUMMARY -----------
    Known viruses: 5389274
    Engine version: 0.99.2
    Scanned directories: 1061
    Scanned files: 5198
    Infected files: 0
    Data scanned: 28.16 MB
    Data read: 16.57 MB (ratio 1.70:1)
    Time: 17.367 sec (0 m 17 s)
    .... so I have to wonder if there is anything in the zip that is detecting the environment and only triggering the exploit file if it is unzipped or loaded on a windows box.

    Of course, there is always the possibility that the ClamAV result is a false positive, but there again, there is always the possibility that it is detecting something no one else is !

    Personally, it was my server, I would always go with the safe option .... if an antivirus showed a zip as having malware embedded within it, I would either destroy the zip, or if I had no choice but to use it, I would take every measure I could to disinfect it before deploying it.
     
    #2 rpvw, Dec 25, 2016
    Last edited: Dec 26, 2016
    cPanelMichael and Infopro like this.
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @musioc,

    I concur with the previous post, however could you elaborate a little more on the quote above? Is this happening for every zip file, or only zip files that produce similar results with the clamscan command referenced in the previous response?

    Thank you.
     
Loading...

Share This Page