File type changed to php.suspected?

lahmar amine

Sep 12, 2018
cPanel Access Level
Website Owner
Since last 4 days, we are facing strange issue on our Production server (AWS EC2 instance) specific to only one site which is SugarCRM.

Issue is /home/site_folder/public_html/include/MassUpdate.php file is renamed automatically to /home/site_folder/public_html/include/MassUpdate.php.suspected

This happens 2-3 times in a day with 3-4 hours of gap. This issue occurs only in case of specific site, even it doesn't occur for staging replica of the same site. I even checked code of that file from both sites, it's same.

We have Googled and found, such issue occurs mostly for Wordpress sites and it could be because of attack. But we checked our server against the attack, there isn't any. Also there is no virus/malware scan running on server.

What should we do?


Well-Known Member
Jul 18, 2013
cPanel Access Level
Root Administrator
A thread with the exact same question exists on Stack Overflow - php file automatically renamed to php.suspected

I do not fully agree with the conclusions drawn in that thread - and I am sorry but I do not think that ClamAV scanner, on its own, renames files to .suspected either. (It may look as if it is, if ClamAV is used by, or integrated into, a third party malware scanner)

There are many results in Google for the search "php.suspected" and most allude to there being some malware present that is changing the filename.

You might also like to have a look at this thread : .suspected file

You might also get some insight from : whilst your issue may not be exactly the same, and this may be a totally new iteration of the malware, I believe that the same basic core routines are being used.

Earlier infections used to use a web GET to /something.php.suspected , and if the .suspected file was found, it indicated that the hosting account or server had been successfully compromised and that often, a webshell had also been deployed on the server.

My advice would be to reinstall the CRM software from a backup, or better still, from scratch using a backup of the database and any media files.

Before you delete your files, take a download of the existing file-set so you can run a diff against a fresh copy of the CRM file-set (don't forget to include fresh plugins or add-ons)

You may then want to audit the rest of your user-space/CRM/server for traces of how the exploit was achieved in the first place, and for any other residual malware files, and take steps to secure whatever ingress vector was used.

If you are not root on the server, you should immediately report this issue to your web hosting administrator, as you may be in breach of their hosting terms and conditions, and you will need someone with root access to help track down, and clean up, any malware that might have been installed.

Please Note:

If your SugerCRM is the free "Community Edition", it looks like support and updates were discontinued in April 2018, and that version 6.5 would be the last version to be released and that v6.5 had reached End Of Life . See for full details

Obviously, this presents significant security issues as the project receives no fixs nor patches against any newly discovered vulnerabilities or code bugs.

If anyone is using the Sugar Community Edition CRM, you would probably want to explore upgrading to a current and supported commercial version.
Last edited by a moderator:


Staff member
Apr 11, 2011
Hello @lahmar amine,

The information in the previous post is solid. Let us know if you have any additional questions.

Thank you.