manish294

Member
Jul 5, 2016
24
3
3
India
cPanel Access Level
Root Administrator
Hi All,

I am facing issue with one file under my server. File is getting renamed automatically as filename.php.suspected. I did renamed file back to original but it is getting renamed almost daily to .suspected.

Maldetect scanner and clamAV is installed on the server. But in their logs nothing is showing. I have went through almost every settings on server but not found how file is getting renamed with extension ".suspected".

Please anyone can help me.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
86
78
cPanel Access Level
DataCenter Provider
The thread infopro linked is relevant. It's not maldet or clamav doing the re-naming, it's the actual malware on the site. Until you get to the bottom of it (or rebuild your site) it's not going to go away.
 

manish294

Member
Jul 5, 2016
24
3
3
India
cPanel Access Level
Root Administrator
The thread infopro linked is relevant. It's not maldet or clamav doing the re-naming, it's the actual malware on the site. Until you get to the bottom of it (or rebuild your site) it's not going to go away.
hello,

I did the malware scan using multiple tools but not found any infection or malwares in files.
Is there any other reason for this?
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
86
78
cPanel Access Level
DataCenter Provider
This malware is very dynamic, and often evades tools like clamscan or maldet (clamscan sometimes finds parts of it but not all).

When in doubt, follow the advice of cPanelMichael above: back up your database and media files, and reinstall wordpress.
 

manish294

Member
Jul 5, 2016
24
3
3
India
cPanel Access Level
Root Administrator
Thank you cPanelMichael & quizknows.

But unfortunately it is not a wordpress site. It is custom PHP application.
I have also downloaded all files on computer and scanned with anti-virus but no luck :(
File is getting renamed as .suspected every day.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,911
2,234
363
You may need to consult with a qualified system administrator if it's a custom script and you are unable to determine what causes this to keep happening. You can find a list of system administration services at:

System Administration Services

Thank you.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
86
78
cPanel Access Level
DataCenter Provider
You need to keep an eye on the domain access logs. Get the modify and change times of the file (use the "stat" command) before you do anything with it.

Reference the change and modified times of the .suspected file to your apache access logs for the domain. You should find suspect POST requests to whatever file has the backdoor being used to change the other file(s). You may have to repeat this process a few times to find all of the infected files.
 

manish294

Member
Jul 5, 2016
24
3
3
India
cPanel Access Level
Root Administrator
hi all,

I have gone through each and every possibilities on the server and website scripts, databases. but nothing found that is renaming the file to .suspected. I think I will have to re-create my website.

Still anybody have same issue and know the resolution please help me.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
86
78
cPanel Access Level
DataCenter Provider
At this point if you are unable to track it down, recreating the site is your best option unless you want to hire someone to investigate the infection. Personally I'd just rebuild the site.