Sep 28, 2015
6
0
51
India
cPanel Access Level
Root Administrator
Hi!
I have got contacted by one of my Freelancer client. He was have virus issue in wordpress website. I have tried to clean virus from site. I was have marked that some files was getting automatically added again. Now I have backup my public_html folder and deleted all files from public_html directory including hidden files. There was no any files in it but as soon as I refresh cpanel file manager, one file called index.php coming automatically. I have tried to delete public_html folder and created new one too but again its same issue. I have checked cron job, there was no cron job running. I have checked FTP connection too, there no any connection. I am not getting idea how it can be generated. My public_html directory have permission set to 750. Virus Cleaner in cpanel not detecting any virus. Let me know if anyone here can help me for same.
Thanks!
 

RoseHosting

Member
PartnerNOC
Jan 3, 2003
24
4
153
You mentioned about WordPress, most likely the malicious files came from a bad WordPress plugin. You can try to scan the site using a WordPress plugin, like WordFence, and Imunify through WHM to scan the cPanel account's home directory.

Once the malicious codes are removed, make sure you update the passwords, including your cPanel account's password.
 
  • Like
Reactions: cPRex
Sep 28, 2015
6
0
51
India
cPanel Access Level
Root Administrator
I think You have not understood what I am saying. Forget my wordpress. I have deleted complete public_html folder and created new one. As soon as I refresh file manager in cpanel, I am getting new index.php file. I do not know from where its coming.
 
Sep 28, 2015
6
0
51
India
cPanel Access Level
Root Administrator
You mentioned about WordPress, most likely the malicious files came from a bad WordPress plugin. You can try to scan the site using a WordPress plugin, like WordFence, and Imunify through WHM to scan the cPanel account's home directory.

Once the malicious codes are removed, make sure you update the passwords, including your cPanel account's password.
I think You have not understood what I am saying. Forget my wordpress. I have deleted complete public_html folder and created new one. As soon as I refresh file manager in cpanel, I am getting new index.php file. I do not know from where its coming.
 

andrewmoras

Active Member
Feb 6, 2021
34
18
8
Remote
cPanel Access Level
DataCenter Provider
I think You have not understood what I am saying. Forget my wordpress. I have deleted complete public_html folder and created new one. As soon as I refresh file manager in cpanel, I am getting new index.php file. I do not know from where its coming.
This is probably NOT a cPanel issue but rather something that has to do with permissions on that index file OR a cronjob that re-creates it after you have delete it. It would be interesting to check the contents of that index.php in order to see if it's something malicious or just some default index.

Thanks,

Andrew
 
  • Like
Reactions: cPRex

ankeshanand

Well-Known Member
Mar 29, 2021
66
15
8
India
cPanel Access Level
Root Administrator
There are some viruses which gets replicated over to all folders as they run with permission 7 as user. Another case is that the Process is still running and You need to stop the PHP Process manually. There are 2 Options in my method to resolve this:
1. Go to Antivirus Plugin (Virus Scanner by ClamAV or Imunify360) and Scan the cPanel home folder for any Worm or Trojans.
2. Go to Select PHP Version and Change it to any other. This would break any process currently ongoing. Then revert back to original PHP Version.(If You do not have the option Select PHP Version, that means you are running on an OS Different than CloudLinux. In that case, Request your Hosting Provider to go to WHM> Process Manager> Kill all Processes for {User})
These both will surely get you out. Let me know if it still happens and then I'll suggest some different methods as well.
 
  • Like
Reactions: cPRex