"php.generic.malware" issue?

7 posts by 4 authors in: Forums > CMS Builder
Last Post: August 14, 2017   (RSS)

By CommonSenseDesign - February 6, 2017

Hi, All.

My client just received the following email from their host. Have any of you come across anything similar? Any suggestions for how to deal with it, please?

I should point out that the site was created in 2011 and the CMS/templates haven't been touched since then. Some of the files referred to are specific to this website, but "php.generic.malware" seems to be a common issue on the list. Also, some of the files - indicated in red - are not part of CMSB, nor were they created by me or the client. I've deleted these from the server and that hasn't affected the performance of the site.

====

this is a courtesy email to inform you of infected website files under domain nithvalley.com. Netflash recommends the injected files be removed and/or replaced with clean originals. From past contact I understand Nithvalley uses a 3rd party web developer, you may want to forward them this information.

FILE HIT LIST:

{HEX}php.generic.malware.441 : /var/www/vhosts/nithvalley.com/httpdocs/portfolio-commercialDetails.php
{HEX}php.generic.malware.441 : /var/www/vhosts/nithvalley.com/httpdocs/cmsAdmin/data/schema/other_projects.ini.php
{HEX}php.generic.malware.441 : /var/www/vhosts/nithvalley.com/httpdocs/cmsAdmin/data/schema/services.ini.php
{HEX}php.generic.malware.439 : /var/www/vhosts/nithvalley.com/httpdocs/cmsAdmin/uploads/thumb2/files.php
{HEX}php.generic.malware.439 : /var/www/vhosts/nithvalley.com/httpdocs/cmsAdmin/uploads/thumb4/db76.php
{HEX}php.generic.malware.439 : /var/www/vhosts/nithvalley.com/httpdocs/cmsAdmin/lib/languages/menu57.php
{HEX}php.generic.malware.441 : /var/www/vhosts/nithvalley.com/httpdocs/cmsAdmin/lib/fieldtypes/parentCategory.php
{HEX}php.generic.malware.441 : /var/www/vhosts/nithvalley.com/httpdocs/blogDetails.php
{HEX}php.generic.malware.439 : /var/www/vhosts/nithvalley.com/httpdocs/commercial/start32.php
{HEX}php.generic.malware.439 : /var/www/vhosts/nithvalley.com/httpdocs/institutional/proxy3.php
{HEX}php.base64.v23au.186 : /var/www/vhosts/nithvalley.com/httpdocs/_notes/help.php
{HEX}php.base64.v23au.186 : /var/www/vhosts/nithvalley.com/httpdocs/_mm/ct3beta/messaging/start13.php

====

By CommonSenseDesign - February 14, 2017

Hi, Ross.

Would this plugin protect against Trojan horse viruses that have already affected site files on the server?

By ross - February 15, 2017

Hi there.

The plugin itself doesn't actually do any protecting.  

What the plugin does is scans every file on your server looking for any malicious code.  The plugin will let you know the full path to any file that seems to be infected and manually clean, remove or replace the file yourself.

Specifically with a trojan, I suspect the scanner will find the original file for you so it can be deleted.

Does that make sense?

Let me know any questions.

Thanks!

-----------------------------------------------------------
Cheers,
Ross Fairbairn - Consulting
consulting@interactivetools.com

Hire me! Save time by getting our experts to help with your project.
Template changes, advanced features, full integration, whatever you
need. Whether you need one hour or fifty, get it done fast with
Priority Consulting: http://www.interactivetools.com/consulting/

By CommonSenseDesign - February 15, 2017

Ah, gotcha.

Thanks!

By celuch - August 11, 2017

I have also received several "possible malware" notices from GoDaddy in the last months, and in more than one case, it listed these files:

html/CMS/lib/login_functions.php

html/CMS/lib/menus/default/common.php

They appear to be normal files, but may there be an issue with them?  They all are on older, untouched sites, one of them running V2.50.  

If this is an issue I'll recommend updating the CMS on both.

Thanks!

celuch

By Dave - August 14, 2017

Hi celuch, 

Sometimes what malware does is modify the code in existing files without changing the modified date.  A couple things you could try: 

Hope that helps!

Dave Edis - Senior Developer
interactivetools.com