We received an automated alert from ImunifyAV through cPanel that one of our customer sites had potentional malware.
It did not specify what it found only that the mainpage was infected and doing a manual scan from ImunifyAV also showed the site as clean on the same day. We checked our resources at Sucuri and no scan came up with any false positives or potential threats. Modsec also did not show any strange records and Wordfence on the site itself did not show any discrepancies.
I than after the audit send a ticket to Cloudlinux to inform them of this false positive and a question why this trigger happened. They made a internal case (id: DEFA-5624) and now there support is asking us to contact Cpanel why this was send from ImunifyAV.
I find it very odd that Cloudlinux is not able to tell why there own program triggered this mail response or simply contact you guys directly but here I am on behest of CloudLinux why the following mail was send even though nothing was found as suspicious in the dashboard. Is there anything cPanel can check with regards to these kind of messages or is there some action log we ourselves can check? It is not shown in the ImunifyAV back-end of WHM as far as we can tell.
I can naturally provide the original not censored mail if needed.
From: cPanel on *****
<__cpanel__service__auth__icontact__xyonkhf9mmucaguh@ ***** >
Sent: Tuesday, 14 February 2023 04:17
To: ***** @ *****
Subject: [ ***** l] A malware has been detected - Action Required: *****
Dear Administrator,
We want to make sure that you are aware of any security threat that your server is exposed to.
With this message we are letting you know that a malware was found on your server(s):
* ***** [.]nl
o Location: hXXp:// ***** [.]nl/ (main page of the website)
Leaving malware files untreated puts your entire environment at risk and creates significant
security threats.
We urge you to take action immediately.
* Option 1: Please make sure that server administrator(s) take appropriate actions to remove
malware as soon as possible to mitigate security risks.
* Option 2: Upgrade from ImunifyAV to Imunify360. With the use of comprehensive security
features, such as real-time malware protection and Malware Database Scanner (MDS) the
server-wide risk that malware infections create will be mitigated in a fully automated way.
Should you have any questions, please reach out to our support team.
Faithfully,
Your Imunify360 Security Team
Manage subscriptions
The system generated this notice on Tuesday, February 14, 2023 at 3:17:20 AM UTC.
“Imunify::Generic” notifications are currently configured to have an importance of “High”. You
can change the importance or disable this type of notification in WHM’s Contact Manager at:
https:// ***** :2087/scripts2/editcontact?event=Application
Do not reply to this automated message.
Copyright© 2023 cPanel, L.L.C.
It did not specify what it found only that the mainpage was infected and doing a manual scan from ImunifyAV also showed the site as clean on the same day. We checked our resources at Sucuri and no scan came up with any false positives or potential threats. Modsec also did not show any strange records and Wordfence on the site itself did not show any discrepancies.
I than after the audit send a ticket to Cloudlinux to inform them of this false positive and a question why this trigger happened. They made a internal case (id: DEFA-5624) and now there support is asking us to contact Cpanel why this was send from ImunifyAV.
I find it very odd that Cloudlinux is not able to tell why there own program triggered this mail response or simply contact you guys directly but here I am on behest of CloudLinux why the following mail was send even though nothing was found as suspicious in the dashboard. Is there anything cPanel can check with regards to these kind of messages or is there some action log we ourselves can check? It is not shown in the ImunifyAV back-end of WHM as far as we can tell.
I can naturally provide the original not censored mail if needed.
From: cPanel on *****
<__cpanel__service__auth__icontact__xyonkhf9mmucaguh@ ***** >
Sent: Tuesday, 14 February 2023 04:17
To: ***** @ *****
Subject: [ ***** l] A malware has been detected - Action Required: *****
Dear Administrator,
We want to make sure that you are aware of any security threat that your server is exposed to.
With this message we are letting you know that a malware was found on your server(s):
* ***** [.]nl
o Location: hXXp:// ***** [.]nl/ (main page of the website)
Leaving malware files untreated puts your entire environment at risk and creates significant
security threats.
We urge you to take action immediately.
* Option 1: Please make sure that server administrator(s) take appropriate actions to remove
malware as soon as possible to mitigate security risks.
* Option 2: Upgrade from ImunifyAV to Imunify360. With the use of comprehensive security
features, such as real-time malware protection and Malware Database Scanner (MDS) the
server-wide risk that malware infections create will be mitigated in a fully automated way.
Should you have any questions, please reach out to our support team.
Faithfully,
Your Imunify360 Security Team
Manage subscriptions
The system generated this notice on Tuesday, February 14, 2023 at 3:17:20 AM UTC.
“Imunify::Generic” notifications are currently configured to have an importance of “High”. You
can change the importance or disable this type of notification in WHM’s Contact Manager at:
https:// ***** :2087/scripts2/editcontact?event=Application
Do not reply to this automated message.
Copyright© 2023 cPanel, L.L.C.
Last edited by a moderator:
