[Solved] Suspended Lepsgnr

[lepsgnr]

Username: lepsgnr

server:Stevie

domain: http://lepsgnr.heliohost.org

 

 

i was going to login on panel now and the page was suspended, and cant be renewed, what happened?

 

 

sorry, i put the wrong topic name.

Edited October 19, 2015 by lepsgnr

[Tjoene]

Your account was suspended for the following reason:

 

Malware. 1 file(s). Html.Exploit.CVE_2015_0072 FOUND

 

That means that there are some malware files found on your account.

 

For your safety and to protect your website from potential further corruption the account has been suspended.

 

To find the infected files we recommend making a backup of your site, download the backup file to your computer, and scan the backup using a reputable virus and malware scanner. If you're having trouble locating the offending files please ask and we can provide more information.

 

If you are you certain that it is a false-positive, we strongly encourage you to file a false positive form here: http://cgi.clamav.net/sendvirus.cgi

 

Your account should be unsuspended now, but keep in mind that this is a temporary unsuspension. You have 24 hours starting at the time of this post to clean your account of any and all malicious files or your account will be resuspended.

[lepsgnr]

what's the file?

 

one of my AV that uses 2 detection engines found nothing, im downloading clamav to search with it.

 

download the backup, scanned with clamav

 

----------- SCAN SUMMARY -----------

Known viruses: 4033245

Engine version: clamav-0.99-rc1

Scanned directories: 194

Scanned files: 1895

Infected files: 0

Data scanned: 73.17 MB

Data read: 39.76 MB (ratio 1.84:1)

Time: 75.352 sec (1 m 15 s)

 

now the page got suspended again

[wolstech]

ClamAV is what we use for detection, so if a fully updated copy is not finding anything, the malware detection might have just been a false positive.

 

The suspension you have now is for high load, not malware. I'll bet that was caused by you working on your account to fix the malware issue. You've been unsuspended again.

[lepsgnr]

ClamAV is what we use for detection, so if a fully updated copy is not finding anything, the malware detection might have just been a false positive.

 

The suspension you have now is for high load, not malware. I'll bet that was caused by you working on your account to fix the malware issue. You've been unsuspended again.

 

what was the file causing this issue??, ill delete it.

[wolstech]

The suspension reason doesn't say, so Krydos is the only one who can find that.

 

I'll escalate this for you, but it sometimes takes a few days to get an answer.

[lepsgnr]

The suspension reason doesn't say, so Krydos is the only one who can find that. I'll escalate this for you, but it sometimes takes a few days to get an answer.

 

ty wolstech

[Krydos]

The file that triggered the suspension for

Html.Exploit.CVE_2015_0072

has been removed.

 

The file that got your account suspended for high load is

/home1/lepsgnr/public_html/jogosdobotafogo.com/log/profiles.php

which still exists and is clearly malware.

[lepsgnr]

The file that triggered the suspension for

 Html.Exploit.CVE_2015_0072 

has been removed. The file that got your account suspended for high load is

 /home1/lepsgnr/public_html/jogosdobotafogo.com/log/profiles.php 

which still exists and is clearly malware.

 

that file is used by logaholic, i don't know how to make it lower the load, probably happened when i was updating stats.

[Krydos]

that file is used by logaholic

Oh wow, you're right. I compared the source on your account to the logaholic website download, and they match. I've never seen legitimate php software use such suspicious looking code before:

<?php eval(base64_decode("Ci8qIExvZ2Fob2xpYyBXZWIgQW5hbHl0aWNzIHNvZnR3YXJlICAgICAgICAgICAgIENvcHlyaWdodChjKSAyMDA1LTIwMTMgTG9nYWhvbGljIEIuVi4KICogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg... etc

I just saw that your account was suspended for high load, checked your high load logs, saw that filename, checked the contents of the file, and assumed it was malware.

[lepsgnr]

weird code, but its ok now, right?

[Krydos]

Yeah, you should be good now.

[lepsgnr]

another thing, i cant access mysql since yesterday.

[Tjoene]

Have you tried to change your password in cPanel and then remove, re-create and re-assign all the database users?

See http://www.helionet.org/index/topic/22260-stevie-mysql-fixed/

[lepsgnr]

Have you tried to change your password in cPanel and then remove, re-create and re-assign all the database users? See http://www.helionet.org/index/topic/22260-stevie-mysql-fixed/

 

no, i'll try it, ty