Everyday I get this type of alerts from my CSF/LFD.
It executes some PHP scripts even though some of these users don't even have a website so no PHP enabled.
I suspect they use it to send spam from my server.
I've been making some scans with maldet, and it always finds some threats like below.
I've deleted the quarantine as well, but they always come back.
How can I
1. Get rid of them
2. Prevent these users to execute PHP scripts
Code:
-------------------------------------------------------------------
Time: Wed Mar 20 09:08:27 2019 -0400
Account: mvandammeadmin
Resource: Virtual Memory Size
Exceeded: 480 > 400 (MB)
Executable: /opt/cpanel/ea-php56/root/usr/bin/php-cgi
Command Line: /opt/cpanel/ea-php56/root/usr/bin/php-cgi
PID: 17598 (Parent PID:4946)
Killed: No
-------------------------------------------------------------------
I suspect they use it to send spam from my server.
I've been making some scans with maldet, and it always finds some threats like below.
I've deleted the quarantine as well, but they always come back.
How can I
1. Get rid of them
2. Prevent these users to execute PHP scripts
Code:
-------------------------------------------------------------------
PATH:
TOTAL FILES: 624239
TOTAL HITS: 13
TOTAL CLEANED: 0
FILE HIT LIST:
{HEX}php.malware.magento.594 : /home/labellev/logs/example.net-Mar-2019.gz => /usr/local/maldetect/quarantine/example.net-Mar-2019.gz.1351819726
{HEX}php.malware.magento.594 : /home/gruadmin/logs/gruman.be-Mar-2019.gz => /usr/local/maldetect/quarantine/examplen.be-Mar-2019.gz.253081703
HEX}php.malware.magento.594 : /home/pitadmin/logs/example.org-Mar-2019.gz => /usr/local/maldetect/quarantine/example.org-Mar-2019.gz.2465528531
{CAV}Win.Malware.Tspy-6881358-0 : /home/noureddine/mail/new/1510582942.M291710P29496.host.example.com,S=723485,W=732951 => /usr/local/maldetect/quarantine/1510582942.M291710P29496.host.example.com,S=723485,W=732951.901425328
{HEX}php.malware.magento.594 : /home/bswiadmin/logs/bswi.org-Mar-2019.gz => /usr/local/maldetect/quarantine/example.org-Mar-2019.gz.614021638
{HEX}php.malware.magento.594 : /home/belilanadmin/logs/example.com-Mar-2019.gz => /usr/local/maldetect/quarantine/example.com-Mar-2019.gz.1486125888
{HEX}php.malware.magento.594 : /home/cofigestionadmin/logs/example.x-Mar-2019.gz => /usr/local/maldetect/quarantine/example.x-Mar-2019.gz.1505625503
{CAV}Win.Dropper.Noon-6859637-0 : /home/abscompadmin/mail/example.tld/bens7361/new/1550059523.M898897P13920.host.example.com,S=356673,W=362542 => /usr/local/maldetect/quarantine/1550059523.M898897P13920.host.example.com,S=356673,W=362542.124011249
{CAV}Doc.Dropper.Agent-6894268-0 : /home/tactical5/mail/new/1536953117.M439893P10375.host.example.com,S=54107,W=54843 => /usr/local/maldetect/quarantine/1536953117.M439893P10375.host.example.com,S=54107,W=54843.2397617671
{CAV}Rtf.Exploit.CVE_2018_0802-6825822-0 : /home/tactical5/mail/new/1526991608.M30806P16669.host.example.com,S=40566,W=41146 => /usr/local/maldetect/quarantine/1526991608.M30806P16669.host.example.com,S=40566,W=41146.25329486
{CAV}Rtf.Dropper.Agent-6857133-0 : /home/tactical5/mail/example.0/simon/new/1544467112.M472641P9416.host.example.com,S=69343,W=70316 => /usr/local/maldetect/quarantine/1544467112.M472641P9416.host.example.com,S=69343,W=70316.2357125895
{HEX}php.malware.magento.594 : /home/eukoshermen/logs/example.eu-Mar-2019.gz => /usr/local/maldetect/quarantine/example.eu-Mar-2019.gz.571425162
{HEX}php.malware.magento.594 : /home/kriwinadmin/logs/example.be-Mar-2019.gz => /usr/local/maldetect/quarantine/example.be-Mar-2019.gz.56134332
Last edited by a moderator: