The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

.suspected file

Discussion in 'Security' started by manish294, Jul 8, 2016.

  1. manish294

    manish294 Member

    Joined:
    Jul 5, 2016
    Messages:
    21
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi All,

    I am facing issue with one file under my server. File is getting renamed automatically as filename.php.suspected. I did renamed file back to original but it is getting renamed almost daily to .suspected.

    Maldetect scanner and clamAV is installed on the server. But in their logs nothing is showing. I have went through almost every settings on server but not found how file is getting renamed with extension ".suspected".

    Please anyone can help me.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,449
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    The thread infopro linked is relevant. It's not maldet or clamav doing the re-naming, it's the actual malware on the site. Until you get to the bottom of it (or rebuild your site) it's not going to go away.
     
  4. manish294

    manish294 Member

    Joined:
    Jul 5, 2016
    Messages:
    21
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    India
    cPanel Access Level:
    Root Administrator
    hello,

    I did the malware scan using multiple tools but not found any infection or malwares in files.
    Is there any other reason for this?
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    This malware is very dynamic, and often evades tools like clamscan or maldet (clamscan sometimes finds parts of it but not all).

    When in doubt, follow the advice of cPanelMichael above: back up your database and media files, and reinstall wordpress.
     
  7. manish294

    manish294 Member

    Joined:
    Jul 5, 2016
    Messages:
    21
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Thank you cPanelMichael & quizknows.

    But unfortunately it is not a wordpress site. It is custom PHP application.
    I have also downloaded all files on computer and scanned with anti-virus but no luck :(
    File is getting renamed as .suspected every day.
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You may need to consult with a qualified system administrator if it's a custom script and you are unable to determine what causes this to keep happening. You can find a list of system administration services at:

    System Administration Services

    Thank you.
     
  9. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    You need to keep an eye on the domain access logs. Get the modify and change times of the file (use the "stat" command) before you do anything with it.

    Reference the change and modified times of the .suspected file to your apache access logs for the domain. You should find suspect POST requests to whatever file has the backdoor being used to change the other file(s). You may have to repeat this process a few times to find all of the infected files.
     
  10. manish294

    manish294 Member

    Joined:
    Jul 5, 2016
    Messages:
    21
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Thanks, I will check access logs and investigate further.
     
  11. manish294

    manish294 Member

    Joined:
    Jul 5, 2016
    Messages:
    21
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    India
    cPanel Access Level:
    Root Administrator
    hi all,

    I have gone through each and every possibilities on the server and website scripts, databases. but nothing found that is renaming the file to .suspected. I think I will have to re-create my website.

    Still anybody have same issue and know the resolution please help me.
     
  12. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    At this point if you are unable to track it down, recreating the site is your best option unless you want to hire someone to investigate the infection. Personally I'd just rebuild the site.
     
Loading...

Share This Page