Question about email "A malware has been detected - Action Required"

[Elizabeta]

Hello,

I have got an email "A malware has been detected - Action Required..."

Dear Administrator, We want to make sure that you are aware of any security threat that your server is exposed to. With this message we are letting you know that a malware was found on your server(s): ******o[.]com Location: hXXp://*****[.]com/ (main page of the website) Leaving malware files untreated puts your entire environment at risk and creates significant security threats. We urge you to take action immediately. · Option 1: Please make sure that server administrator(s) take appropriate actions to remove malware as soon as possible to mitigate security risks. · Option 2: Upgrade from ImunifyAV to Imunify360. With the use of comprehensive security features, such as real-time malware protection and Malware Database Scanner (MDS) the server-wide risk that malware infections create will be mitigated in a fully automated way. Should you have any questions, please reach out to our support team. Faithfully, Your Imunify360 Security Team Manage subscriptions​ The system generated this notice on Tuesday, October 18, 2022 at 11:52:56 PM UTC. “Imunify::Generic” notifications are currently configured to have an importance of “High”. You can change the importance or disable this type of notification in WHM’s Contact Manager at: https://************:2087/scripts2/editcontact?event=Applicatio Do not reply to this automated message. I have open WHM->Imunify->Scan All Users Result is No malware found. What this means? Should I do anything on server with user for which the email came although the scan result is "No malware found" Best regards, Elizabeta

 

[Elizabeta]

Hello,

One more question, my ImunifyAV is version 6.6.3-1,whether it is possible to set the default action to clean infected files? Now in Settings for ImunifyAV 6.6.3-1 I do not see that there is such possibility.

Best regards,
Elizabeta

 

[rbairwell]

WordPress released version 6.0.3 as a security release on the 17th of October which Imunify appears to have picked up on before WordPress Toolkit etc did (so sites didn't have the chance to perform automatic updates). It's just an outdated installation (6.0.2) which, for some reason, has triggered Imunify.

Why it hasn't shown up in the Imunify WHM interface is another issue. I can see in /var/ log/ imunify360/console.log the messages, but nothing in WHM->Plugins->ImunifyAV->Malware Scanner->History or Malicious.

I've logged this as bug as cPanel request 94495883 so the devs are aware.
(also reported in New Thread - Imunify360 - Vulnerabilities found on your Server - Action Required: WordPress )

 

[Elizabeta]

Hello,

Thank you very much for your answer.
Does this mean that one of my users has some problem even though Imunify after can result is "No malware found"..?


Or is everything just ok with my user (no malwares), everything is related to the latest version of WordPress? It is recommended to install then WordPress Toolkit?
WordPress Toolkit | cPanel & WHM Documentation

Best regards,
Elizabeta

 

[rbairwell]

I just noticed that your notification was slightly different from the one I received " Vulnerabilities found on your Server - Action Required: WordPress .... We are reaching out to you to keep you informed on security threats. The list below shows vulnerable software that has been detected in your environment: " (I'm on cPanel 7.9.2009/imunifyAV 6.6.3-1)

However, since the scan is coming up clean, I'm reasonably confident that the site is okay, but feel free to check it via third party services such as WPSec , Sucuri or VirusTotal - and even Google Safe Browsing .

It's worth while to ensure WordPress is always as up to date as possible and the WordPress Toolkit included for free in cPanel/WHM does make things a lot easier.

ImunifyAV+ does have the ability to cleanup malicious files ( see ImunifyAV: Best Free Linux Server Antivirus ), but the free version included with cPanel (ImunifyAV) does NOT. To upgrade, follow the links in WHM's ImunifyAV panel. It'll give you the chance to buy Imunify360 for $45/pm to cover unlimited sites : however, it's only $25/pm for up to 30 users ($12 for single user) from Imunify directly (the unlimited price is the same). ImunifyAV+ is $6/pm per server (and whilst it looks like it can be order from within WHM, it doesn't work - so you'll have go to the Imunify website)

Hope it helps!

 

[cPRex]

Thanks @rbairwell !

 

[Elizabeta]

Hello,

Thank you @rbairwell for your answer.
How can I update wordpress via whm? I do not any dashboard with wordpress.

BR

 

[cPRex]

You can use WordPress Toolkit at the WHM level to perform updates to each of the installs on your server.

 

[jigster]

I am getting exactly the same issue as the OP, same warning about one particular site then "No malware found" when I run a scan. What's annoying is that the email doesn't state anywhere what or where the 'detected malware' is. Not very useful and is just causing concern and extra work trying to figure out why this warning has been triggered. Cpanel folk, could you elaborate on what could be causing this warning? Thanks

 

[cPRex]

@jigster - is the warning email from Imunify?

 

[jigster]

It's sent from cpanel ([email protected]), but the email is signed "Your Imunify360 Security Team". At the bottom it says “Imunify::Generic” notifications are currently configured to have an importance of “High” so I guess it's part of cpanel's notifications. The email is exactly the same as the one posted by the OP.

 

[cPRex]

@jigster - thanks for the additional details. If you update WordPress do you continue to see those notifications?

 

[jigster]

It's not a wordpress site. Wordpress has never even been installed on the account/domain.

 

[cPRex]

Can you please submit a ticket to our team so we can take a look?

 

[stormy]

I'm having a similar problem. Malware is being reported on a site that doesn't have any malware (nor a WordPress install). Plus, the Imunify notifications don't appear in Contact Manager.

 

[jigster]

After submitting a ticket to cPanel, the issue was the website simply had a reference to a domain which they considered suspicious (in this case just an example domain listed on the site). That caused the malware warning email, but doesn't show up on a malware scan. Confusing if you ask me - the email should give details of the what triggered the warning.

 

[cPRex]

@jigster - was our team able to create an improvement case based on your experience?

 

[jigster]

@cPRex - not that I know of, no

 

[cPRex]

Could you get me that ticket number so I can read up on this a bit more?

 

[jigster]

Sure - ticket Id #94504749