Have Securi scanner results. Now how to delete 240 infected files?

romandas

Registered
Nov 27, 2020
4
0
1
Vilnius
cPanel Access Level
Website Owner
Hello,

Maybe, this question belongs not to this forum.
I have scanned website with Securi scanner ant it gave results in txt file like this, 240 infected files:
Code:
/home1/aquariu9/public_html/horaactual/dfksil11.php: SL-PHP-BACKDOOR-GENERIC-aws.UNOFFICIAL FOUND
/home1/aquariu9/public_html/horaactual/lt8xzlvc.php: SL-PHP-BACKDOOR-GENERIC-aws.UNOFFICIAL FOUND
/home1/aquariu9/public_html/caricaturesse/agozt9vh.php: SL-PHP-BACKDOOR-GENERIC-aws.UNOFFICIAL FOUND
/home1/aquariu9/public_html/mouselaptop/wp-content/themes/Events/timthumb.php.BACKUP: EIG.PHP.TimThumb-115.UNOFFICIAL FOUND
............
How would you delete these long list of files in different directories? I can delete them manually, but maybe you can tell me a better solution. Thanks
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,810
895
313
cPanel Access Level
Root Administrator
Hey there! If I had a long list of files with output like that, I would likely place it in a text file and then use a "for" loop to work through them and delete them in as automated a way as possible. You may need some extra programming when pulling the file name list to remove the ":" at the end of each file, but I would expect that to work well.

We have a guide on creating a simple command to do this work here:

 
  • Like
Reactions: romandas

romandas

Registered
Nov 27, 2020
4
0
1
Vilnius
cPanel Access Level
Website Owner
Thanks for the answer. I will look into that.
I'm new to malware curing and found just now, that I can't just delete all these files, because, some of them are required for sites, but are injected with malicious php code.
I will need to open all of them and search for suspicious php code and delete it. A long night waiting :)
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,810
895
313
cPanel Access Level
Root Administrator
That's another thing to consider for sure. If some of those files are not just randomly-generated names, but are actual files on the site, you'll need to manually open them and see where the code is injected and remove that.

It might be a good idea to work with a security professional to see if you can track down the reason why this happened in the first place so you could prevent this in the future.
 
  • Like
Reactions: romandas

romandas

Registered
Nov 27, 2020
4
0
1
Vilnius
cPanel Access Level
Website Owner
Yes it may be helpful to consult with a security professional. At this moment I see old Woocommerce v3.9.3, and site is http (not secure).
Perhaps that's the first things to fix and also to change passwords for database and WordPress.