lepsgnr Posted October 19, 2015 Share Posted October 19, 2015 (edited) Username: lepsgnrserver:Stevie domain: http://lepsgnr.heliohost.org i was going to login on panel now and the page was suspended, and cant be renewed, what happened? sorry, i put the wrong topic name. Edited October 19, 2015 by lepsgnr Link to comment Share on other sites More sharing options...
Tjoene Posted October 20, 2015 Share Posted October 20, 2015 Your account was suspended for the following reason: Malware. 1 file(s). Html.Exploit.CVE_2015_0072 FOUND That means that there are some malware files found on your account. For your safety and to protect your website from potential further corruption the account has been suspended. To find the infected files we recommend making a backup of your site, download the backup file to your computer, and scan the backup using a reputable virus and malware scanner. If you're having trouble locating the offending files please ask and we can provide more information. If you are you certain that it is a false-positive, we strongly encourage you to file a false positive form here: http://cgi.clamav.net/sendvirus.cgi Your account should be unsuspended now, but keep in mind that this is a temporary unsuspension. You have 24 hours starting at the time of this post to clean your account of any and all malicious files or your account will be resuspended. Link to comment Share on other sites More sharing options...
lepsgnr Posted October 20, 2015 Author Share Posted October 20, 2015 what's the file? one of my AV that uses 2 detection engines found nothing, im downloading clamav to search with it. download the backup, scanned with clamav ----------- SCAN SUMMARY -----------Known viruses: 4033245Engine version: clamav-0.99-rc1Scanned directories: 194Scanned files: 1895Infected files: 0Data scanned: 73.17 MBData read: 39.76 MB (ratio 1.84:1)Time: 75.352 sec (1 m 15 s) now the page got suspended again Link to comment Share on other sites More sharing options...
wolstech Posted October 20, 2015 Share Posted October 20, 2015 ClamAV is what we use for detection, so if a fully updated copy is not finding anything, the malware detection might have just been a false positive. The suspension you have now is for high load, not malware. I'll bet that was caused by you working on your account to fix the malware issue. You've been unsuspended again. Link to comment Share on other sites More sharing options...
lepsgnr Posted October 21, 2015 Author Share Posted October 21, 2015 ClamAV is what we use for detection, so if a fully updated copy is not finding anything, the malware detection might have just been a false positive. The suspension you have now is for high load, not malware. I'll bet that was caused by you working on your account to fix the malware issue. You've been unsuspended again. what was the file causing this issue??, ill delete it. Link to comment Share on other sites More sharing options...
wolstech Posted October 21, 2015 Share Posted October 21, 2015 The suspension reason doesn't say, so Krydos is the only one who can find that. I'll escalate this for you, but it sometimes takes a few days to get an answer. 1 Link to comment Share on other sites More sharing options...
lepsgnr Posted October 21, 2015 Author Share Posted October 21, 2015 The suspension reason doesn't say, so Krydos is the only one who can find that. I'll escalate this for you, but it sometimes takes a few days to get an answer. ty wolstech Link to comment Share on other sites More sharing options...
Krydos Posted October 22, 2015 Share Posted October 22, 2015 The file that triggered the suspension for Html.Exploit.CVE_2015_0072 has been removed. The file that got your account suspended for high load is /home1/lepsgnr/public_html/jogosdobotafogo.com/log/profiles.php which still exists and is clearly malware. Link to comment Share on other sites More sharing options...
lepsgnr Posted October 22, 2015 Author Share Posted October 22, 2015 The file that triggered the suspension for Html.Exploit.CVE_2015_0072 has been removed. The file that got your account suspended for high load is /home1/lepsgnr/public_html/jogosdobotafogo.com/log/profiles.php which still exists and is clearly malware. that file is used by logaholic, i don't know how to make it lower the load, probably happened when i was updating stats. Link to comment Share on other sites More sharing options...
Krydos Posted October 23, 2015 Share Posted October 23, 2015 that file is used by logaholicOh wow, you're right. I compared the source on your account to the logaholic website download, and they match. I've never seen legitimate php software use such suspicious looking code before: <?php eval(base64_decode("Ci8qIExvZ2Fob2xpYyBXZWIgQW5hbHl0aWNzIHNvZnR3YXJlICAgICAgICAgICAgIENvcHlyaWdodChjKSAyMDA1LTIwMTMgTG9nYWhvbGljIEIuVi4KICogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg... etc I just saw that your account was suspended for high load, checked your high load logs, saw that filename, checked the contents of the file, and assumed it was malware. Link to comment Share on other sites More sharing options...
lepsgnr Posted October 23, 2015 Author Share Posted October 23, 2015 weird code, but its ok now, right? Link to comment Share on other sites More sharing options...
Krydos Posted October 23, 2015 Share Posted October 23, 2015 Yeah, you should be good now. 1 Link to comment Share on other sites More sharing options...
lepsgnr Posted October 24, 2015 Author Share Posted October 24, 2015 another thing, i cant access mysql since yesterday. Link to comment Share on other sites More sharing options...
Tjoene Posted October 24, 2015 Share Posted October 24, 2015 Have you tried to change your password in cPanel and then remove, re-create and re-assign all the database users?See http://www.helionet.org/index/topic/22260-stevie-mysql-fixed/ Link to comment Share on other sites More sharing options...
lepsgnr Posted October 24, 2015 Author Share Posted October 24, 2015 Have you tried to change your password in cPanel and then remove, re-create and re-assign all the database users? See http://www.helionet.org/index/topic/22260-stevie-mysql-fixed/ no, i'll try it, ty Link to comment Share on other sites More sharing options...
Recommended Posts