Cant delete infected htaccess file

smeko

Member
Feb 17, 2020
23
2
3
Tirane, Albania
cPanel Access Level
Root Administrator
Hi all,

I have a web hosting shared server and while i was scanning the users for any infected file using imunifyAV i noticed one htaccess file is infected.

I tried deleting this file but when i rescan this user i see that this file exist yet, even though it was deleted before. It seem like it is generated from another script maybe.
The script within this infected htaccess file is as below:

Options FollowSymLinks MultiViews Indexes ExecCGI

AddType application/x-httpd-cgi .cl4

AddHandler cgi-script .cl4
AddHandler cgi-script .cl4

I tried changin the premissions of this file and delete it again but it didnt work.

Hope you will help me handling this.

Thanks

Silvi
 
Last edited by a moderator:

kodeslogic

Well-Known Member
Apr 26, 2020
191
57
103
IN
cPanel Access Level
Root Administrator
Have you confirmed with your hosting provider that the htaccess file has the correct ownership, if you are using the shred using?

If you have root access to the server then you should make sure that the ownership of the htaccess file is the username of the cPanel account.
 
  • Like
Reactions: cPRex

smeko

Member
Feb 17, 2020
23
2
3
Tirane, Albania
cPanel Access Level
Root Administrator
Hi again,

I checked that the owner is the cpanel user frow which im trying to delete this file:
Output as below:
-rw-rw-r-- 1 username username 153 Dec 11 2013 .htaccess

So why i dont have access anyway

Silvi
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
3,236
404
243
cPanel Access Level
Root Administrator
If that is the correct cPanel username I would expect you to be able to manipulate that file. It's possible there are special permissions on that file and you could check that by running this:

Code:
lsattr .htaccess
One interesting thing I found is that .cl4 files are data files created and handled by the Easy CD Creator software tool, which primarily gets used in Windows. I wouldn't expect that to be found on a Linux server, and it's definitely not something I'd expect to be created by default.

You mentioned you are the admin - do you have root access to WHM or only access to the one user on the machine? If you have root access to the entire system, you're always welcome to submit a support ticket to our team so we can take a look. If not, speaking with your hosting provider about this would be the best way to get more details on what may be happening.