Imunify AV malware scanner

friv

Member
Dec 14, 2018
14
0
1
Serbia
cPanel Access Level
Website Owner
Hello

After scanning with imunify AV from Cpanel i see 13 detected malwares. So, now my question is : Is this accurate that he recognized a real malwares or? . I do not know if i can erase that files if is malware. Please check attachment. Thanks
 

Attachments

Last edited:

quietFinn

Well-Known Member
Feb 4, 2006
1,668
341
438
Finland
cPanel Access Level
Root Administrator
There is not supposed to be any PHP files in that directory, it should be safe to remove it.

If you look what is in that file you will most likely see typical malware.
 

friv

Member
Dec 14, 2018
14
0
1
Serbia
cPanel Access Level
Website Owner
There is not supposed to be any PHP files in that directory, it should be safe to remove it.

If you look what is in that file you will most likely see typical malware.
Thanks quietFinn to answer me.

Can you please check again now screenshot i have update right now.

So,with your opinion i should delete in every infected file only last word example meta.php ,cphordem.php ..... etc. or i need to remove whole folder? Thanks again
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
11,837
1,881
363
cPanel Access Level
Root Administrator
Hey there! While the .cphorde/meta directory does exit inside /home/username, I would not expect it to be present inside the public_html directory. Normally this directory only contains the horde database files, and I'm not finding much online for the metap.php file.

I'm guessing this is some type of malware content on the machine. I would examine the PHP file to see what is in there before deleting the content, but anything in public_html would not be related to the Horde files that cPanel uses on the machine.

If you'd like to submit a ticket to our team we can check the PHP file for you.
 

quietFinn

Well-Known Member
Feb 4, 2006
1,668
341
438
Finland
cPanel Access Level
Root Administrator
Hey there! While the .cphorde/meta directory does exit inside /home/username, I would not expect it to be present inside the public_html directory. Normally this directory only contains the horde database files, and I'm not finding much online for the metap.php file.
Didn't notice it was in public_html directory o_O

Can you please check again now screenshot i have update right now.

So,with your opinion i should delete in every infected file only last word example meta.php ,cphordem.php ..... etc. or i need to remove whole folder? Thanks again
There seems to be a few folders that must not be in public_html folder, but in the account's root folder.
You should remove those folders.
 

friv

Member
Dec 14, 2018
14
0
1
Serbia
cPanel Access Level
Website Owner
Didn't notice it was in public_html directory o_O


There seems to be a few folders that must not be in public_html folder, but in the account's root folder.
You should remove those folders.
You mean to remove those files form public_html folder when i tick "show hidden files" right?
 

friv

Member
Dec 14, 2018
14
0
1
Serbia
cPanel Access Level
Website Owner
The whole .cphorde would be a hidden file/directory since the "." is what makes it hidden.
When i tick "Show hidden files" then i see .cphorde outside of public_html and inside public_html. And when i untick "Show hidden files" i can't see .cphorde. (which is normal)
 

quietFinn

Well-Known Member
Feb 4, 2006
1,668
341
438
Finland
cPanel Access Level
Root Administrator
In the picture you posted there are folders public_html/.cphorde & public_html/.cpanel, remove those folders.
 

friv

Member
Dec 14, 2018
14
0
1
Serbia
cPanel Access Level
Website Owner
In the picture you posted there are folders public_html/.cphorde & public_html/.cpanel, remove those folders.
Ok thanks. Now i have erased .cphorde and .cpanel folders from public_html

Please check now again screenshot what i need to remove more from public_html. ( Just to mention, screenshot i made when i tick "Show hidden files")
 

Attachments

friv

Member
Dec 14, 2018
14
0
1
Serbia
cPanel Access Level
Website Owner
That looks more normal to me, although I'm not sure with the "imh" directory is. It could be something unique to your environment, but I don't see that on a standard cPanel system.
That's right cPRex "imh" is strange folder,hm.... I will delete him too,and if something goes wrong will back from trash. What you think?
 

friv

Member
Dec 14, 2018
14
0
1
Serbia
cPanel Access Level
Website Owner
You can always create an account backup too before you delete files, but it doesn't hurt to examine the files in there before removal.
Now scanner is showing that there is no infected files ( Error, file not found ) after removing them.

Now i am wondering if you can check again screenshot but this is outside public_html, and if you can tell me is this ok to those folders stay outside public_html,or this is maybe injected as malware too? (Maybe scanner can't detect malware outside of public_html)
 

Attachments

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
11,837
1,881
363
cPanel Access Level
Root Administrator
The only files placed in public_html by cPanel when an account is created are the following:

Code:
[[email protected] public_html]# ll
total 48K
drwxr-x---.  3 cptest cptest 4.0K Jan 28 17:30 .
drwx--x--x. 11 cptest cptest 4.0K Jan 28 17:30 ..
-rw-r--r--.  1 cptest cptest  229 Jan 28 17:30 400.shtml
-rw-r--r--.  1 cptest cptest  207 Jan 28 17:30 401.shtml
-rw-r--r--.  1 cptest cptest  203 Jan 28 17:30 403.shtml
-rw-r--r--.  1 cptest cptest  204 Jan 28 17:30 404.shtml
-rw-r--r--.  1 cptest cptest  216 Jan 28 17:30 413.shtml
-rw-r--r--.  1 cptest cptest  243 Jan 28 17:30 500.shtml
drwxr-xr-x.  2 cptest cptest 4.0K Jan 28 17:30 cgi-bin
-rw-r--r--.  1 cptest cptest  11K Jan 28 17:30 cp_errordocument.shtml
Anything else is either from your website software, or was manually put there by a user.
 

friv

Member
Dec 14, 2018
14
0
1
Serbia
cPanel Access Level
Website Owner
The only files placed in public_html by cPanel when an account is created are the following:

Code:
[[email protected] public_html]# ll
total 48K
drwxr-x---.  3 cptest cptest 4.0K Jan 28 17:30 .
drwx--x--x. 11 cptest cptest 4.0K Jan 28 17:30 ..
-rw-r--r--.  1 cptest cptest  229 Jan 28 17:30 400.shtml
-rw-r--r--.  1 cptest cptest  207 Jan 28 17:30 401.shtml
-rw-r--r--.  1 cptest cptest  203 Jan 28 17:30 403.shtml
-rw-r--r--.  1 cptest cptest  204 Jan 28 17:30 404.shtml
-rw-r--r--.  1 cptest cptest  216 Jan 28 17:30 413.shtml
-rw-r--r--.  1 cptest cptest  243 Jan 28 17:30 500.shtml
drwxr-xr-x.  2 cptest cptest 4.0K Jan 28 17:30 cgi-bin
-rw-r--r--.  1 cptest cptest  11K Jan 28 17:30 cp_errordocument.shtml
Anything else is either from your website software, or was manually put there by a user.

That is clear for me how look like public_html by default. But we are talking here about when "Show hidden files" are ticked :) For now, according to the scanner,files are removed. Now, i will see what is happening,if malware will appear again or not.

Btw thanks for great and amazing support. I really appreciate your help .