lepsgnr Posted October 19, 2015 Posted October 19, 2015 (edited) Username: lepsgnrserver:Stevie domain: http://lepsgnr.heliohost.org i was going to login on panel now and the page was suspended, and cant be renewed, what happened? sorry, i put the wrong topic name. Edited October 19, 2015 by lepsgnr
Tjoene Posted October 20, 2015 Posted October 20, 2015 Your account was suspended for the following reason: Malware. 1 file(s). Html.Exploit.CVE_2015_0072 FOUND That means that there are some malware files found on your account. For your safety and to protect your website from potential further corruption the account has been suspended. To find the infected files we recommend making a backup of your site, download the backup file to your computer, and scan the backup using a reputable virus and malware scanner. If you're having trouble locating the offending files please ask and we can provide more information. If you are you certain that it is a false-positive, we strongly encourage you to file a false positive form here: http://cgi.clamav.net/sendvirus.cgi Your account should be unsuspended now, but keep in mind that this is a temporary unsuspension. You have 24 hours starting at the time of this post to clean your account of any and all malicious files or your account will be resuspended.
lepsgnr Posted October 20, 2015 Author Posted October 20, 2015 what's the file? one of my AV that uses 2 detection engines found nothing, im downloading clamav to search with it. download the backup, scanned with clamav ----------- SCAN SUMMARY -----------Known viruses: 4033245Engine version: clamav-0.99-rc1Scanned directories: 194Scanned files: 1895Infected files: 0Data scanned: 73.17 MBData read: 39.76 MB (ratio 1.84:1)Time: 75.352 sec (1 m 15 s) now the page got suspended again
wolstech Posted October 20, 2015 Posted October 20, 2015 ClamAV is what we use for detection, so if a fully updated copy is not finding anything, the malware detection might have just been a false positive. The suspension you have now is for high load, not malware. I'll bet that was caused by you working on your account to fix the malware issue. You've been unsuspended again.
lepsgnr Posted October 21, 2015 Author Posted October 21, 2015 ClamAV is what we use for detection, so if a fully updated copy is not finding anything, the malware detection might have just been a false positive. The suspension you have now is for high load, not malware. I'll bet that was caused by you working on your account to fix the malware issue. You've been unsuspended again. what was the file causing this issue??, ill delete it.
wolstech Posted October 21, 2015 Posted October 21, 2015 The suspension reason doesn't say, so Krydos is the only one who can find that. I'll escalate this for you, but it sometimes takes a few days to get an answer. 1
lepsgnr Posted October 21, 2015 Author Posted October 21, 2015 The suspension reason doesn't say, so Krydos is the only one who can find that. I'll escalate this for you, but it sometimes takes a few days to get an answer. ty wolstech
Krydos Posted October 22, 2015 Posted October 22, 2015 The file that triggered the suspension for Html.Exploit.CVE_2015_0072 has been removed. The file that got your account suspended for high load is /home1/lepsgnr/public_html/jogosdobotafogo.com/log/profiles.php which still exists and is clearly malware.
lepsgnr Posted October 22, 2015 Author Posted October 22, 2015 The file that triggered the suspension for Html.Exploit.CVE_2015_0072 has been removed. The file that got your account suspended for high load is /home1/lepsgnr/public_html/jogosdobotafogo.com/log/profiles.php which still exists and is clearly malware. that file is used by logaholic, i don't know how to make it lower the load, probably happened when i was updating stats.
Krydos Posted October 23, 2015 Posted October 23, 2015 that file is used by logaholicOh wow, you're right. I compared the source on your account to the logaholic website download, and they match. I've never seen legitimate php software use such suspicious looking code before: <?php eval(base64_decode("Ci8qIExvZ2Fob2xpYyBXZWIgQW5hbHl0aWNzIHNvZnR3YXJlICAgICAgICAgICAgIENvcHlyaWdodChjKSAyMDA1LTIwMTMgTG9nYWhvbGljIEIuVi4KICogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg... etc I just saw that your account was suspended for high load, checked your high load logs, saw that filename, checked the contents of the file, and assumed it was malware.
lepsgnr Posted October 24, 2015 Author Posted October 24, 2015 another thing, i cant access mysql since yesterday.
Tjoene Posted October 24, 2015 Posted October 24, 2015 Have you tried to change your password in cPanel and then remove, re-create and re-assign all the database users?See http://www.helionet.org/index/topic/22260-stevie-mysql-fixed/
lepsgnr Posted October 24, 2015 Author Posted October 24, 2015 Have you tried to change your password in cPanel and then remove, re-create and re-assign all the database users? See http://www.helionet.org/index/topic/22260-stevie-mysql-fixed/ no, i'll try it, ty
Recommended Posts