Imunify AV malware scanner

[friv]

Hello

After scanning with imunify AV from Cpanel i see 13 detected malwares. So, now my question is : Is this accurate that he recognized a real malwares or? . I do not know if i can erase that files if is malware. Please check attachment. Thanks

 

[quietFinn]

There is not supposed to be any PHP files in that directory, it should be safe to remove it.

If you look what is in that file you will most likely see typical malware.

 

[friv]

There is not supposed to be any PHP files in that directory, it should be safe to remove it.

If you look what is in that file you will most likely see typical malware.

Thanks quietFinn to answer me.

Can you please check again now screenshot i have update right now.

So,with your opinion i should delete in every infected file only last word example meta.php ,cphordem.php ..... etc. or i need to remove whole folder? Thanks again

 

[cPRex]

Hey there! While the .cphorde/meta directory does exit inside /home/username, I would not expect it to be present inside the public_html directory. Normally this directory only contains the horde database files, and I'm not finding much online for the metap.php file.

I'm guessing this is some type of malware content on the machine. I would examine the PHP file to see what is in there before deleting the content, but anything in public_html would not be related to the Horde files that cPanel uses on the machine.

If you'd like to submit a ticket to our team we can check the PHP file for you.

 

[quietFinn]

Hey there! While the .cphorde/meta directory does exit inside /home/username, I would not expect it to be present inside the public_html directory. Normally this directory only contains the horde database files, and I'm not finding much online for the metap.php file.

Didn't notice it was in public_html directory

Can you please check again now screenshot i have update right now.

So,with your opinion i should delete in every infected file only last word example meta.php ,cphordem.php ..... etc. or i need to remove whole folder? Thanks again

There seems to be a few folders that must not be in public_html folder, but in the account's root folder.
You should remove those folders.

 

[friv]

Didn't notice it was in public_html directory


There seems to be a few folders that must not be in public_html folder, but in the account's root folder.
You should remove those folders.

You mean to remove those files form public_html folder when i tick "show hidden files" right?

 

[cPRex]

The whole .cphorde would be a hidden file/directory since the "." is what makes it hidden.

 

[friv]

The whole .cphorde would be a hidden file/directory since the "." is what makes it hidden.

When i tick "Show hidden files" then i see .cphorde outside of public_html and inside public_html. And when i untick "Show hidden files" i can't see .cphorde. (which is normal)

 

[quietFinn]

In the picture you posted there are folders public_html/.cphorde & public_html/.cpanel, remove those folders.

 

[cPRex]

^ That sounds correct to me.

 

[friv]

In the picture you posted there are folders public_html/.cphorde & public_html/.cpanel, remove those folders.

Ok thanks. Now i have erased .cphorde and .cpanel folders from public_html

Please check now again screenshot what i need to remove more from public_html. ( Just to mention, screenshot i made when i tick "Show hidden files")

 

[cPRex]

That looks more normal to me, although I'm not sure with the "imh" directory is. It could be something unique to your environment, but I don't see that on a standard cPanel system.

 

[friv]

That looks more normal to me, although I'm not sure with the "imh" directory is. It could be something unique to your environment, but I don't see that on a standard cPanel system.

That's right cPRex "imh" is strange folder,hm.... I will delete him too,and if something goes wrong will back from trash. What you think?

 

[cPRex]

You can always create an account backup too before you delete files, but it doesn't hurt to examine the files in there before removal.

 

[friv]

You can always create an account backup too before you delete files, but it doesn't hurt to examine the files in there before removal.

Now scanner is showing that there is no infected files ( Error, file not found ) after removing them.

Now i am wondering if you can check again screenshot but this is outside public_html, and if you can tell me is this ok to those folders stay outside public_html,or this is maybe injected as malware too? (Maybe scanner can't detect malware outside of public_html)

 

[cPRex]

The only files placed in public_html by cPanel when an account is created are the following:

[root@host public_html]# ll
total 48K
drwxr-x---.  3 cptest cptest 4.0K Jan 28 17:30 .
drwx--x--x. 11 cptest cptest 4.0K Jan 28 17:30 ..
-rw-r--r--.  1 cptest cptest  229 Jan 28 17:30 400.shtml
-rw-r--r--.  1 cptest cptest  207 Jan 28 17:30 401.shtml
-rw-r--r--.  1 cptest cptest  203 Jan 28 17:30 403.shtml
-rw-r--r--.  1 cptest cptest  204 Jan 28 17:30 404.shtml
-rw-r--r--.  1 cptest cptest  216 Jan 28 17:30 413.shtml
-rw-r--r--.  1 cptest cptest  243 Jan 28 17:30 500.shtml
drwxr-xr-x.  2 cptest cptest 4.0K Jan 28 17:30 cgi-bin
-rw-r--r--.  1 cptest cptest  11K Jan 28 17:30 cp_errordocument.shtml

Anything else is either from your website software, or was manually put there by a user.

 

[friv]

The only files placed in public_html by cPanel when an account is created are the following:

[root@host public_html]# ll
total 48K
drwxr-x---.  3 cptest cptest 4.0K Jan 28 17:30 .
drwx--x--x. 11 cptest cptest 4.0K Jan 28 17:30 ..
-rw-r--r--.  1 cptest cptest  229 Jan 28 17:30 400.shtml
-rw-r--r--.  1 cptest cptest  207 Jan 28 17:30 401.shtml
-rw-r--r--.  1 cptest cptest  203 Jan 28 17:30 403.shtml
-rw-r--r--.  1 cptest cptest  204 Jan 28 17:30 404.shtml
-rw-r--r--.  1 cptest cptest  216 Jan 28 17:30 413.shtml
-rw-r--r--.  1 cptest cptest  243 Jan 28 17:30 500.shtml
drwxr-xr-x.  2 cptest cptest 4.0K Jan 28 17:30 cgi-bin
-rw-r--r--.  1 cptest cptest  11K Jan 28 17:30 cp_errordocument.shtml

Anything else is either from your website software, or was manually put there by a user.

That is clear for me how look like public_html by default. But we are talking here about when "Show hidden files" are ticked For now, according to the scanner,files are removed. Now, i will see what is happening,if malware will appear again or not.

Btw thanks for great and amazing support. I really appreciate your help .

 

[cPRex]

That *is* with show hidden files - we don't put anything else inside public_html by default other than what I listed.