Can't delete infected file

makosa2018

Registered
Sep 2, 2018
3
0
1
Kenya
cPanel Access Level
Root Administrator
I have a file index.php infected with @eval(base64_decode virus. The file permisions are 444 and changing them from cpanel or chmod doesn't work. The permissions revert back to 444 read only.
Deleting the file from cpanel or rm -rf doesn't work either. After refresh the file is still there. How can you guys help me. Can't install Joomla(The index.php file is a wordpress one).

Why can't I delete the file even as root(it comes back). NB: File is not immutable.

Last modification date is Jul 29, 2017 and this date doesn't change.

If I upload a new index.php file it gets overwritenn by this crazy virus. Someone help me before I die of frustration.
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
465
113
UK
cPanel Access Level
Root Administrator
The following needs to be run by the root user

Use lsattr -d on the folder containing your index.php file, to test if the folder itself has -a or -i flag set, which you will have to remove first.

Once you have the folder clear, use lsattr to test the file itself for the presence of an a or i flag

You can them remove the flag with chattr eg:
# chattr -i [filename]
# chattr -a [filename]
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
465
113
UK
cPanel Access Level
Root Administrator
If neither the containing folder nor the file have attributes set, you may have a bigger problem.

That would seem to indicate that you are successfully deleting the file, but something is then immediately regenerating it.

You might have to start a server wide forensic investigation as to what keeps regenerating this file, and how it got into the server, and how it might be removed.

Good luck.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
Hi @makosa2018


I'm glad to hear you were able to resolve the issue. I would still recommend doing a full security audit on the files/folders located within the user's home directory as suggested by @rpvw

Thanks!
 

Ian Jackson

Registered
Oct 13, 2018
1
0
1
Ireland
cPanel Access Level
Website Owner
Hi there. I have the same issue with my site. My index.php contains the base64 string with 444 permission and each time I try to delete/edit the file, it just reverts back to the infected version.

I am really curious how this could be regenerating itself. I figured maybe there was another file elsewhere which was being accessed every few seconds which would create the index file but I tried blocking access to the site with htaccess and still unable to delete the file.

I have checked all other files and removed removed anything unnecessary so I am fairly certain this last file is the only remaining.

Does anyone know what could be causing this? Also I do not see an option to change user account name.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
HI @Ian Jackson

If it continues to come back after you've removed it, you have not removed the source of the infection. I would suggest if you're using a CMS to remove all plugins/themes/components etc., that aren't being used or are potentially vulnerable. You may also want to look at using a Malware scanner like ClamAV or Linux Malware Detect. Ultimately if you're unable to identify the source you may also want to contact your provider for assistance and/or enlist the assistance of a qualified system administrator. If you don't have one you might find one here: System Administration Services | cPanel Forums

Thanks!
 

Julianno Nogueira

Registered
Apr 20, 2018
3
0
1
Brazil
cPanel Access Level
DataCenter Provider
Hello all, I know this is a bit old thread, but I see that there was never a reply back that really resolved the issue. This issue is caused by "web designers" that use nulled themes or cracked plugins inside wordpress. There is no free lunch.

As a system admin, I saw this issue before and can confirm this is a "virus automation" from wordpress infected website (admin part). I also removed it without cleared the entire account, but I can say the website is infected and need to be entirely deleted/replaced, with some another folders/files.

IMPORTANT - If you don´t have backups, its hard, but you lost your website, and have your e-mails inside "mail" folder at risk.

To resolve this issue:

1- List all .php files inside /home/domain/ "forward". For that, use as root or terminal: find . -type f -name '*.php' -printf '%TY-%Tm-%Td %TT %p\n' | sort

2- Suspend temporarely the account from WHM. As the automation is "running" at server memory, it will not stop itself and will rebuild the index.php file (and its subfiles in another folders) any time you try to delete it.

3- With the account suspended, as root (SSH) or in WHM, access the terminal (or file manager in Cpanel, via WHM) and delete all .php files related to these folders (including the entire wordpress website files)
- PHP inside Folders: /tmp (and it subfolders) and .trash
- From public_html, you finally delete the index.php file, and all wordpress website files (literally).

4- Renew the website database at phpmyadmin (website/wordpress .sql file) with a good backup either.

5 - Remove domain suspension at WHM and bring the domain up again.

6- Put the new (or backup) wordpress files back at public_html.

7- Enter in your website (wp-admin) and review your themes/plugins. If you website was made with cracked/nulled themes or plugins, youll get infected again soon.


I hope it helps! Cheers!