.php.suspected

[zoltangal]

I came across a very strange problem. We installed a concrete5 CMS website on a cPAnel server. Twice a day this core file: concrete/src/validation/SanitizeService.php becames SanitizeService.php.suspected! Somehow it renames the extension to .php.suspected. Anybody have any idea why this is happening?

Thank You.

 

[cPanelMichael]

Hello,

Does anyone else have root access to your server? Do you have any third-party applications that automatically scan and disable files with potential vulnerabilities?

Thank you.

 

[zoltangal]

Hi,
Nobody else has root access except a few of my coworkers. ClamAV Scanner is active in cPanel.

 

[cPanelMichael]

There are no features in cPanel/WHM that will scan for files and rename them. This suggests it's happening manually or through a third-party application. You may want to consult with everyone who has root access to verify it's not changed manually.

Thank you.

 

[quizknows]

I do not know of any security programs that do this. I have seen technicians at some hosting companies do it, but it is bad practice, since unknown file extensions may display as plain text if file permissions are not set to prevent it.

 

[quizknows]

After some more research on this, this is a wide-spread issue across hacked sites. Why hackers would re-name legitimate files to .php.suspected is beyond me but I have confirmed this is happening on hacked sites via requests to malicious files.

See:

https://wordpress.org/support/topic/link-templatephpsuspected/page/2