Results 1 to 8 of 8
  1. #1
    Join Date
    Jul 2005
    Location
    Argentina
    Posts
    224

    Thumbs down infected files not being detected by maldet ?

    HI, I have indentified on one of my clients VPS, lots of malicious/suspicious files.. THey all have similar content..

    PHP Code:
    <?php
    $urls 
    = array (
                
    'http://green-coffees-fatsolution.com/?11/33',
                );
              
    $n mt_rand(0,count($urls) - 1);
    $rand_url $urls[$n];
    ?>
    <meta http-equiv="refresh" content="1; url=<?php echo  $rand_url;?> ">


    PHP Code:
    <?php
    $urls 
    = array (
                
    'http://green-coffees-fastfatloss.com/?11/9',
                );
              
    $n mt_rand(0,count($urls) - 1);
    $rand_url $urls[$n];
    ?>
    <meta http-equiv="refresh" content="1; url=<?php echo  $rand_url;?> ">
    There are almost 1.000 files with different names and almost the same content... To clean the server, I installed maldet and run "maldet -a" command for the entire /home directory. The results were..

    Infected Files: 0 Cleaned Files: 0 Total hits: 0 Scanned files 235.554


    Maldet is not detecting this as a malware/hit so I dont know how to remove that kind of files from the server.


    THanks!

  2. #2
    Join Date
    Jul 2005
    Location
    Huh... where am I again?
    Posts
    974
    First, upload to RX so that they can add to the rules.

    Second, you'll need to find the files that have that content and delete. You can try via "find . -exec grep -q 'green-coffees-fatsolution' '{}' \; -delete" . Or find the files with the content, list in a file, and loop through via shell script. The second method is best as it gives a list of files that you can review first.
    -Steven | u2-web, LLC - Clustered Shared Hosting
    "It is the mark of an educated mind to be able to entertain a thought without accepting it" -Aristotle

  3. #3
    a few days ago an account under my shared hosting was infected by malware and i run maldet and clamav ,,unfortunately maldet and clamav didn't detect any malware..then i downloaded all files to my computer and scaned them with windows defender,,alert showed that all footer.php on all themes were infected iframe malware..
    so i think windows defender is much beter than maldet,

  4. #4
    There are times when windows defender doesn't help, for example - java script malware generated from SQL data.

  5. #5
    Quote Originally Posted by steven99 View Post
    First, upload to RX so that they can add to the rules.

    Second, you'll need to find the files that have that content and delete. You can try via "find . -exec grep -q 'green-coffees-fatsolution' '{}' \; -delete" . Or find the files with the content, list in a file, and loop through via shell script. The second method is best as it gives a list of files that you can review first.
    i suggest to move the files to another non-public accessible before deleting it, just incase client doesn't have a copy of original file (non infected one)
    HalfDedi.com Half Dedicated Half Price
    We provide affordable VPS hosting solution Singapore datacenter

  6. #6
    Join Date
    Apr 2011
    Location
    Core Files
    Posts
    7,799
    Steven99's suggestion would work best.

    Part of the reason why maldet is not detecting them....intelligent simple code.



    $urls = array (
    '----green-coffees-fatsolution--com/?11/33',
    );



    PHP Code:
    <?php
    $urls = array (
    '----green-coffees-fastfatloss----com/?11/9',
    );



    Those are just regular codes that you could find on any site. If the codes were encrypted like eval codes or iframes, then it would have spotted them easily.

    Also check htaccess files. In some cases when the issue is this large, almost everything needs to analyzed (htaccess, user/pass info, database, etc).

  7. #7
    Join Date
    Jun 2011
    Posts
    2,286
    Is ClamAV installed on the system? If so, Maldet will use the ClamAV definitions as part of its scanning to improve detection ratios. It also drastically improves scan times when using Maldet w/ ClamAV.

  8. #8
    Make sure that the maldet and clamscan is updated version, so that the virus db is updated.

Similar Threads

  1. Need SSH Script to fix infected files
    By SecureZone in forum Employment / Job Offers
    Replies: 9
    Last Post: 01-09-2014, 04:22 PM
  2. clamscan -r /home says I have infected files
    By psalm91 in forum Hosting Security and Technology
    Replies: 9
    Last Post: 08-26-2013, 08:12 PM
  3. all index files got infected
    By assassin85 in forum Hosting Security and Technology
    Replies: 101
    Last Post: 07-15-2007, 10:54 PM
  4. what anti virus software can clean up infected files/email?
    By jt2377 in forum Computers and Peripherals
    Replies: 15
    Last Post: 07-17-2006, 04:32 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •