How to resolve infection found by ImunifyAV

[tkserver]

I have a report of infection from imunifyAv and this is all I'm given:

SHELL="/usr/local/cpanel/bin/jailshell"
*/9 * * * * perl /var/tmp/CpUOSh >/dev/null 2>&1

Reason: SMW-INJ-15328-cron.bkdr.perl-3

ChatGPT tells me I need to remove the line */9 * * * * perl /var/tmp/CpUOSh >/dev/null 2>&1 from the crontab file. Assuming that is correct, I don't see that line in the crontab file.

How do I rectify this infection?

 

[cPRex]

Hey there! Is your Imunify license purchased through cPanel directly? If so, it would be best to create a ticket so we can see the specific issue in action and escalate to CloudLinux if necessary, as I would expect the tool to provide enough information for an end user to be able to handle it.

While that formatting certainly does look like a cron job, it's not clear to me where that would be present. Do you see that file present in /var/tmp?

 

[tkserver]

Thanks cPRex. My imunify license is the "free" version through cPanel, which only scans but does not do any fixes. For a few years now I've been able to rectify manually any infections it has found until now.

I did look in /var/tmp and the file is not present there.

 

[cPRex]

Could you submit a ticket so we can check it out?

 

[tkserver]

Sure. Thanks. Do I do that by clicking submit a ticket in your signature? I did that and then get to a "submit a request" option at the bottom of the page. Is a request the same as a ticket?

 

[cPRex]

That's the one!

 

[SimpleSonic]

That is a cron job backdoor malware and is easily removed, but the real issue is how the attacker was able to create the cron job to begin with.

Therefore, just removing the cron job is not going to "fix" the issue.

Also, you might want to consider using Imunify360 to give you proactive protection rather than just using ImunifyAV which requires manual intervention when malware is found.