Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

File type changed to php.suspected?

Discussion in 'Security' started by lahmar amine, Sep 12, 2018.

  1. lahmar amine

    lahmar amine Registered

    Sep 12, 2018
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Website Owner
    Since last 4 days, we are facing strange issue on our Production server (AWS EC2 instance) specific to only one site which is SugarCRM.

    Issue is /home/site_folder/public_html/include/MassUpdate.php file is renamed automatically to /home/site_folder/public_html/include/MassUpdate.php.suspected

    This happens 2-3 times in a day with 3-4 hours of gap. This issue occurs only in case of specific site, even it doesn't occur for staging replica of the same site. I even checked code of that file from both sites, it's same.

    We have Googled and found, such issue occurs mostly for Wordpress sites and it could be because of attack. But we checked our server against the attack, there isn't any. Also there is no virus/malware scan running on server.

    What should we do?
  2. rpvw

    rpvw Well-Known Member

    Jul 18, 2013
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    A thread with the exact same question exists on Stack Overflow - php file automatically renamed to php.suspected

    I do not fully agree with the conclusions drawn in that thread - and I am sorry but I do not think that ClamAV scanner, on its own, renames files to .suspected either. (It may look as if it is, if ClamAV is used by, or integrated into, a third party malware scanner)

    There are many results in Google for the search "php.suspected" and most allude to there being some malware present that is changing the filename.

    You might also like to have a look at this thread : .suspected file

    You might also get some insight from : whilst your issue may not be exactly the same, and this may be a totally new iteration of the malware, I believe that the same basic core routines are being used.

    Earlier infections used to use a web GET to /something.php.suspected , and if the .suspected file was found, it indicated that the hosting account or server had been successfully compromised and that often, a webshell had also been deployed on the server.

    My advice would be to reinstall the CRM software from a backup, or better still, from scratch using a backup of the database and any media files.

    Before you delete your files, take a download of the existing file-set so you can run a diff against a fresh copy of the CRM file-set (don't forget to include fresh plugins or add-ons)

    You may then want to audit the rest of your user-space/CRM/server for traces of how the exploit was achieved in the first place, and for any other residual malware files, and take steps to secure whatever ingress vector was used.

    If you are not root on the server, you should immediately report this issue to your web hosting administrator, as you may be in breach of their hosting terms and conditions, and you will need someone with root access to help track down, and clean up, any malware that might have been installed.

    Please Note:

    If your SugerCRM is the free "Community Edition", it looks like support and updates were discontinued in April 2018, and that version 6.5 would be the last version to be released and that v6.5 had reached End Of Life . See for full details

    Obviously, this presents significant security issues as the project receives no fixs nor patches against any newly discovered vulnerabilities or code bugs.

    If anyone is using the Sugar Community Edition CRM, you would probably want to explore upgrading to a current and supported commercial version.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 rpvw, Sep 13, 2018
    Last edited by a moderator: Sep 13, 2018
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Hello @lahmar amine,

    The information in the previous post is solid. Let us know if you have any additional questions.

    Thank you.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice