Strange Virus in Cpanel

[Rajubhai Rathod]

Hi!
I have got contacted by one of my Freelancer client. He was have virus issue in wordpress website. I have tried to clean virus from site. I was have marked that some files was getting automatically added again. Now I have backup my public_html folder and deleted all files from public_html directory including hidden files. There was no any files in it but as soon as I refresh cpanel file manager, one file called index.php coming automatically. I have tried to delete public_html folder and created new one too but again its same issue. I have checked cron job, there was no cron job running. I have checked FTP connection too, there no any connection. I am not getting idea how it can be generated. My public_html directory have permission set to 750. Virus Cleaner in cpanel not detecting any virus. Let me know if anyone here can help me for same.
Thanks!

 

[RoseHosting]

You mentioned about WordPress, most likely the malicious files came from a bad WordPress plugin. You can try to scan the site using a WordPress plugin, like WordFence, and Imunify through WHM to scan the cPanel account's home directory.

Once the malicious codes are removed, make sure you update the passwords, including your cPanel account's password.

 

[Rajubhai Rathod]

I think You have not understood what I am saying. Forget my wordpress. I have deleted complete public_html folder and created new one. As soon as I refresh file manager in cpanel, I am getting new index.php file. I do not know from where its coming.

 

[Rajubhai Rathod]

You mentioned about WordPress, most likely the malicious files came from a bad WordPress plugin. You can try to scan the site using a WordPress plugin, like WordFence, and Imunify through WHM to scan the cPanel account's home directory.

Once the malicious codes are removed, make sure you update the passwords, including your cPanel account's password.

I think You have not understood what I am saying. Forget my wordpress. I have deleted complete public_html folder and created new one. As soon as I refresh file manager in cpanel, I am getting new index.php file. I do not know from where its coming.

 

[andrewmoras]

I think You have not understood what I am saying. Forget my wordpress. I have deleted complete public_html folder and created new one. As soon as I refresh file manager in cpanel, I am getting new index.php file. I do not know from where its coming.

This is probably NOT a cPanel issue but rather something that has to do with permissions on that index file OR a cronjob that re-creates it after you have delete it. It would be interesting to check the contents of that index.php in order to see if it's something malicious or just some default index.

Thanks,

Andrew

 

[cPRex]

Examining the content of the index.php file would be the only way to know for sure what that is. Can you see the data inside there? Are there any cron jobs running on that user account?

 

[ankeshanand]

There are some viruses which gets replicated over to all folders as they run with permission 7 as user. Another case is that the Process is still running and You need to stop the PHP Process manually. There are 2 Options in my method to resolve this:
1. Go to Antivirus Plugin (Virus Scanner by ClamAV or Imunify360) and Scan the cPanel home folder for any Worm or Trojans.
2. Go to Select PHP Version and Change it to any other. This would break any process currently ongoing. Then revert back to original PHP Version.(If You do not have the option Select PHP Version, that means you are running on an OS Different than CloudLinux. In that case, Request your Hosting Provider to go to WHM> Process Manager> Kill all Processes for {User})
These both will surely get you out. Let me know if it still happens and then I'll suggest some different methods as well.