FPCH Staff Tony D Posted April 13, 2018 FPCH Staff Posted April 13, 2018 I have a web site at GoDaddy. A couple of weeks ago, they sent me the following notice.We recently completed a routine security checkup of our servers and platforms. Our scans flagged your hosting […] account as containing possible malware.There were 7 files listed, all with a php extension. These files have the same names as other files on my site, but only with the php extension. For instance, I have a file called bfile0506.pdf. In the same directory, there is now a new file, that I didn’t create called fbile0506.php. Then yesterday, GoDaddy called me about this possible malware. They were trying to sell me protection. Anyway, I scanned 4 of the 11 files that GoDaddy suspected with Virus Total. They were all clean. I didn't waste any more time scanning the rest. I then replied to GoDaddy’s email asking what program they used to determine if these files were malicious and what malware they suspect they contain. It’s been almost 24 hours since I sent that email. They haven’t responded. Any idea how did these php files got there? Quote
FPCH Admin AWS Posted April 13, 2018 FPCH Admin Posted April 13, 2018 Open the php files with notepad and search the file for any lines that begin with base64_decode. An example would be something like this: eval(base64_decode(long_string_of_random_characters) If you find any you can decode the string here to see what it is doing. Base64 Decode and Encode - Online If you find anything like that then the file is calling to an external server to download malware, most of the time a shell script. More then likely someone else on the server is running software that is being exploited and the server is already compromised. That would explain why files randomy showed up on your site. 2 Quote Off Topic Forum - Unlike the Rest
starbuck Posted April 13, 2018 Posted April 13, 2018 There does seem to be quite a bit of this going on at Go Daddy..... Got an email about malware, but can't locate the files in File Manager GoDaddy flagged for malware GoDaddy Email Scam Go Daddy Flagged My Site for Malware 2 Quote
FPCH Staff Tony D Posted April 13, 2018 Author FPCH Staff Posted April 13, 2018 Thanks, I'm going to check a file or two out with that base64_decode. Wouldn't VirusTotal have found something malicious, if there were anything, in these php files? Quote
FPCH Staff Tony D Posted April 13, 2018 Author FPCH Staff Posted April 13, 2018 I tried the base64_decode. Not getting any results. AWS, can I send you one of the files to look at? They are all 6 KB. Quote
FPCH Admin AWS Posted April 14, 2018 FPCH Admin Posted April 14, 2018 Yes attach a zip with the file in it If you scan them the virus scanner will not pick them up as infected because the files themselves are not a virus. Nothing in them triggers the scanner. Once they download and deliver the payload then the virus scanners will pick it up. 1 Quote Off Topic Forum - Unlike the Rest
Recommended Posts