Sponsor:

Server and Web Integrator
Link:
Kloxo-MR logo
6.5.0 or 7.0.0
Click for "How to install"
Donation/Sponsorship:
Kloxo-MR is open-source.
Donate and or Sponsorship always welcome.
Click to:
Click Here
Please login or register. 2018-11-17, 14:23:46

Author Topic: Server infected with Virus  (Read 3436 times)

0 Members and 1 Guest are viewing this topic.

Offline sandipcd

  • Senior Member
  • *
  • Posts: 165
  • Karma: +0/-0
    • View Profile
Server infected with Virus
« on: 2017-07-20, 17:07:09 »
My server IP and domain name got blacklisted in spamhaus - https://www.spamhaus.org/query/ip/163.172.104.28
https://www.spamhaus.org/query/domain/hostingultraso.com

I have not sent any bulk email. But it has got black listed.

So, is this server has infected with Virus or Malware that is operating a Botnet? How can I check this?


Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,382
  • Karma: +115/-9
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Server infected with Virus
« Reply #1 on: 2017-07-20, 17:19:28 »
My server IP and domain name got blacklisted in spamhaus - https://www.spamhaus.org/query/ip/163.172.104.28
https://www.spamhaus.org/query/domain/hostingultraso.com

I have not sent any bulk email. But it has got black listed.

So, is this server has infected with Virus or Malware that is operating a Botnet? How can I check this?
Check to php/php-fpm and maillog log in 'log manager'. Also check 'mail queue'.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline sandipcd

  • Senior Member
  • *
  • Posts: 165
  • Karma: +0/-0
    • View Profile
Re: Server infected with Virus
« Reply #2 on: 2017-07-20, 18:05:11 »
Quote
Check to php/php-fpm and maillog log in 'log manager'. Also check 'mail queue'.

In php-fpm in 'log manager', I have found in /var/log/php-fpm/slow.log -

Code: [Select]
[16-Jul-2017 04:00:37]  [pool php-hostingultraso123] pid 29263
script_filename = /home/hostingultraso123/hostingultraso/cron.php
[0x00007f535c664f10] usleep() /home/hostingultraso123/hostingultraso/sites/all/modules/contrib/httprl/httprl.module:1606
[0x00007f535c660c50] httprl_send_request() /home/hostingultraso123/hostingultraso/sites/all/modules/contrib/boost/boost_crawler/boost_crawler.module:72
[0x00007fffea778880] boost_crawler_run() unknown:0
[0x00007f535c6609a0] call_user_func() /home/hostingultraso123/hostingultraso/includes/common.inc:5444
[0x00007f535c65ffb0] drupal_cron_run() /home/hostingultraso123/hostingultraso/cron.php:25

[17-Jul-2017 04:00:35]  [pool php-hostingultraso123] pid 4437
script_filename = /home/hostingultraso123/hostingultraso/cron.php
[0x00007f7b81ecff10] usleep() /home/hostingultraso123/hostingultraso/sites/all/modules/contrib/httprl/httprl.module:1606
[0x00007f7b81ecbc50] httprl_send_request() /home/hostingultraso123/hostingultraso/sites/all/modules/contrib/boost/boost_crawler/boost_crawler.module:72
[0x00007ffcf05b72b0] boost_crawler_run() unknown:0
[0x00007f7b81ecb9a0] call_user_func() /home/hostingultraso123/hostingultraso/includes/common.inc:5444
[0x00007f7b81ecafb0] drupal_cron_run() /home/hostingultraso123/hostingultraso/cron.php:25

[17-Jul-2017 05:00:36]  [pool php-hostingultraso123] pid 5870
script_filename = /home/hostingultraso123/hostingultraso-support/cron.php
[0x00007f7b81ecff08] usleep() /home/hostingultraso123/hostingultraso-support/sites/all/modules/contrib/httprl/httprl.module:1606
[0x00007f7b81ecbc48] httprl_send_request() /home/hostingultraso123/hostingultraso-support/sites/all/modules/contrib/boost/boost_crawler/boost_crawler.module:72
[0x00007ffcf05b72b0] boost_crawler_run() unknown:0
[0x00007f7b81ecb998] call_user_func() /home/hostingultraso123/hostingultraso-support/includes/common.inc:5444
[0x00007f7b81ecafa8] drupal_cron_run() /home/hostingultraso123/hostingultraso-support/cron.php:25

[18-Jul-2017 04:00:37]  [pool php-hostingultraso123] pid 31110
script_filename = /home/hostingultraso123/hostingultraso/cron.php
[0x00007f7bd668bef0] usleep() /home/hostingultraso123/hostingultraso/sites/all/modules/contrib/httprl/httprl.module:1606
[0x00007f7bd6687c30] httprl_send_request() /home/hostingultraso123/hostingultraso/sites/all/modules/contrib/boost/boost_crawler/boost_crawler.module:72
[0x00007ffc7ab49040] boost_crawler_run() unknown:0
[0x00007f7bd6687980] call_user_func() /home/hostingultraso123/hostingultraso/includes/common.inc:5444
[0x00007f7bd6686f90] drupal_cron_run() /home/hostingultraso123/hostingultraso/cron.php:25

[19-Jul-2017 04:00:38]  [pool php-hostingultraso123] pid 647
script_filename = /home/hostingultraso123/hostingultraso/cron.php
[0x00007f8a5c875f10] usleep() /home/hostingultraso123/hostingultraso/sites/all/modules/contrib/httprl/httprl.module:1606
[0x00007f8a5c871c50] httprl_send_request() /home/hostingultraso123/hostingultraso/sites/all/modules/contrib/boost/boost_crawler/boost_crawler.module:72
[0x00007ffe1b725630] boost_crawler_run() unknown:0
[0x00007f8a5c8719a0] call_user_func() /home/hostingultraso123/hostingultraso/includes/common.inc:5444
[0x00007f8a5c870fb0] drupal_cron_run() /home/hostingultraso123/hostingultraso/cron.php:25

[20-Jul-2017 04:00:32]  [pool php-hostingultraso123] pid 28649
script_filename = /home/hostingultraso123/hostingultraso/cron.php
[0x00007f6ca6e5cf10] usleep() /home/hostingultraso123/hostingultraso/sites/all/modules/contrib/httprl/httprl.module:1606
[0x00007f6ca6e58c50] httprl_send_request() /home/hostingultraso123/hostingultraso/sites/all/modules/contrib/boost/boost_crawler/boost_crawler.module:72
[0x00007ffc41f22f70] boost_crawler_run() unknown:0
[0x00007f6ca6e589a0] call_user_func() /home/hostingultraso123/hostingultraso/includes/common.inc:5444
[0x00007f6ca6e57fb0] drupal_cron_run() /home/hostingultraso123/hostingultraso/cron.php:25

[20-Jul-2017 05:00:33]  [pool php-hostingultraso123] pid 30073
script_filename = /home/hostingultraso123/hostingultraso-support/cron.php
[0x00007f6ca6e5cf08] usleep() /home/hostingultraso123/hostingultraso-support/sites/all/modules/contrib/httprl/httprl.module:1606
[0x00007f6ca6e58c48] httprl_send_request() /home/hostingultraso123/hostingultraso-support/sites/all/modules/contrib/boost/boost_crawler/boost_crawler.module:72
[0x00007ffc41f22f70] boost_crawler_run() unknown:0
[0x00007f6ca6e58998] call_user_func() /home/hostingultraso123/hostingultraso-support/includes/common.inc:5444
[0x00007f6ca6e57fa8] drupal_cron_run() /home/hostingultraso123/hostingultraso-support/cron.php:25

In maillog in 'log manage', have not found any files.

In 'mail queue', 3 emails are in the queue and it has not been delivered till now.

Will I install ClamAV anti virus on this server (CentOS 6.9)? If install and scan the server will it solve the problem?


Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,382
  • Karma: +115/-9
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Server infected with Virus
« Reply #3 on: 2017-07-20, 18:45:35 »
Check old maillog also.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline sandipcd

  • Senior Member
  • *
  • Posts: 165
  • Karma: +0/-0
    • View Profile
Re: Server infected with Virus
« Reply #4 on: 2017-07-20, 19:13:16 »
Check old maillog also.

From where it is possible to check old maillog?

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,382
  • Karma: +115/-9
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Server infected with Virus
« Reply #5 on: 2017-07-20, 19:35:31 »
Click 'mail log > var > log > select maillog.*'
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline sandipcd

  • Senior Member
  • *
  • Posts: 165
  • Karma: +0/-0
    • View Profile
Re: Server infected with Virus
« Reply #6 on: 2017-07-20, 19:36:12 »
I have installed ClamAV and scanned the server files. The summary is listed below -

----------- SCAN SUMMARY -----------
Known viruses: 6301436
Engine version: 0.99.2
Scanned directories: 71990
Scanned files: 407195
Infected files: 63
Total errors: 11362
Data scanned: 27797.09 MB
Data read: 26115.20 MB (ratio 1.06:1)
Time: 867.887 sec (14 m 27 s)

It is showing infected files are 63 and errors 11362. So, how should I now only see infected files and remove it?

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,382
  • Karma: +115/-9
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Server infected with Virus
« Reply #7 on: 2017-07-21, 01:13:00 »
Before cleanup process, better ban/disabled send mail with add '/home/hostingultraso123' in 'admin > clients > hostingultraso123 > send mail to bans'. It's make hostingultraso123 user can't send mail.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline sandipcd

  • Senior Member
  • *
  • Posts: 165
  • Karma: +0/-0
    • View Profile
Re: Server infected with Virus
« Reply #8 on: 2017-07-21, 06:52:11 »
I have install ClamAV and run the command to find only infected files. Below I have found these files.

Code: [Select]
[root@s1 ~]# clamscan -r --bell -i /
/maldet-clean.tgz: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND
/maldet-sigpack.tgz: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/home/abrahamheinemann12/rainbow-trust/99d66/pyuim.zip: {HEX}php.exe.globals.406.UNOFFICIAL FOUND
/home/abrahamheinemann12/rainbow-trust/99d66/alopr/new.php: {HEX}php.exe.globals.406.UNOFFICIAL FOUND
/home/abrahamheinemann12/rainbow-trust/install.php: {HEX}php.generic.malware.441.UNOFFICIAL FOUND
/home/abrahamheinemann12/rainbow-trust/modules/rdf/javascript.php: {HEX}php.generic.malware.440.UNOFFICIAL FOUND
/home/abrahamheinemann12/rainbow-trust/modules/aggregator/aggregator-item.tpl.php: {HEX}php.generic.malware.441.UNOFFICIAL FOUND
/home/abrahamheinemann12/rainbow-trust/modules/search/search-result.tpl.php: {HEX}php.generic.malware.441.UNOFFICIAL FOUND
/home/abrahamheinemann12/rainbow-trust/modules/field/modules/text/xml.php: {HEX}php.base64.v23au.186.UNOFFICIAL FOUND
/home/abrahamheinemann12/rainbow-trust/modules/field/modules/field_sql_storage/help22.php: {HEX}php.generic.malware.440.UNOFFICIAL FOUND
/home/abrahamheinemann12/rainbow-trust/427a/pyuim.zip: {HEX}php.exe.globals.406.UNOFFICIAL FOUND
/home/abrahamheinemann12/rainbow-trust/427a/alopr/new.php: {HEX}php.exe.globals.406.UNOFFICIAL FOUND
/home/abrahamheinemann12/rainbow-trust/themes/acquia/sonoma/images/inc23.php: {HEX}php.generic.malware.440.UNOFFICIAL FOUND
/home/abrahamheinemann12/rainbow-trust/themes/acquia/kenwood/forum-list.tpl.php: {HEX}php.generic.malware.441.UNOFFICIAL FOUND
/home/abrahamheinemann12/rainbow-trust/themes/acquia/sparks/node.tpl.php: {HEX}php.generic.malware.441.UNOFFICIAL FOUND
/home/lxadmin/mail/domains/hostingultraso.com/sales/Maildir/cur/1494692636.M528884P1895V0000000000000901I0000000000EC0732_0.s1.ultracorporatepixel.com,S=3075:2,: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/sales/Maildir/cur/1494716999.M463319P9467V0000000000000901I0000000000EC0743_0.s1.ultracorporatepixel.com,S=2936:2,: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/sales/Maildir/cur/1494640444.M807937P16499V0000000000000901I0000000000EC0725_0.s1.ultracorporatepixel.com,S=3144:2,: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/sales/Maildir/cur/1494543767.M906155P17385V0000000000000901I0000000000EC06F2_0.s1.ultracorporatepixel.com,S=3011:2,: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/sales/Maildir/cur/1494729613.M730256P20264V0000000000000901I0000000000EC074F_0.s1.ultracorporatepixel.com,S=2994:2,: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/abuse/Maildir/new/1494693503.M87221P2421V0000000000000901I0000000000EC0735_0.s1.ultracorporatepixel.com,S=2958: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/abuse/Maildir/new/1494732271.M391746P23169V0000000000000901I0000000000EC0751_0.s1.ultracorporatepixel.com,S=3026: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/abuse/Maildir/new/1494641343.M515975P17018V0000000000000901I0000000000EC0728_0.s1.ultracorporatepixel.com,S=2935: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/abuse/Maildir/new/1494717711.M179728P10111V0000000000000901I0000000000EC0745_0.s1.ultracorporatepixel.com,S=2984: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/abuse/Maildir/new/1500150780.M128569P26240V0000000000000901I0000000000EC0FA3_0.s1.ultracorporatepixel.com,S=238690: Doc.Macro.Obfuscation-6332451-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/billing/Maildir/new/1494692004.M93618P1524V0000000000000901I0000000000EC0730_0.s1.ultracorporatepixel.com,S=3151: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/billing/Maildir/new/1494543140.M599919P17065V0000000000000901I0000000000EC06EF_0.s1.ultracorporatepixel.com,S=2911: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/billing/Maildir/new/1494639664.M84673P16217V0000000000000901I0000000000EC0723_0.s1.ultracorporatepixel.com,S=3029: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/billing/Maildir/new/1494727636.M908834P18865V0000000000000901I0000000000EC074B_0.s1.ultracorporatepixel.com,S=2909: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/billing/Maildir/new/1494716262.M742018P9205V0000000000000901I0000000000EC0741_0.s1.ultracorporatepixel.com,S=2991: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/billing/Maildir/new/1500363452.M703766P10412V0000000000000901I0000000000EC0FD8_0.s1.ultracorporatepixel.com,S=236001: Doc.Macro.Obfuscation-6332451-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/support/Maildir/new/1494693796.M10821P2637V0000000000000901I0000000000EC0737_0.s1.ultracorporatepixel.com,S=3016: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/support/Maildir/new/1498304246.M863445P14946V0000000000000901I0000000000EC0D73_0.s1.ultracorporatepixel.com,S=390801: Doc.Macro.Obfuscation-6331107-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/support/Maildir/new/1494545085.M120035P17801V0000000000000901I0000000000EC06F4_0.s1.ultracorporatepixel.com,S=3023: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/support/Maildir/new/1494641593.M580073P17176V0000000000000901I0000000000EC072A_0.s1.ultracorporatepixel.com,S=3049: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/datacenter/Maildir/cur/1494717937.M417747P10316V0000000000000901I0000000000EC0747_0.s1.ultracorporatepixel.com,S=2864:2,: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/datacenter/Maildir/cur/1494418388.M372813P25518V0000000000000901I0000000000EC0696_0.s1.ultracorporatepixel.com,S=41209:2,: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/lxadmin/mail/domains/hostingultraso.com/datacenter/Maildir/cur/1494072881.M103326P18118V0000000000000901I0000000000EC067B_0.s1.ultracorporatepixel.com,S=58251:2,: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/lxadmin/mail/domains/hostingultraso.com/datacenter/Maildir/cur/1494545118.M720915P17930V0000000000000901I0000000000EC06F6_0.s1.ultracorporatepixel.com,S=3017:2,: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/datacenter/Maildir/cur/1494732955.M716858P23619V0000000000000901I0000000000EC0753_0.s1.ultracorporatepixel.com,S=2979:2,: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/datacenter/Maildir/new/1500507152.M368702P30302V0000000000000901I0000000000EC1000_0.s1.ultracorporatepixel.com,S=243719: Doc.Macro.Obfuscation-6332451-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/contact/Maildir/cur/1494388984.M228082P13300V0000000000000901I0000000000EC0694_0.s1.ultracorporatepixel.com,S=186954:2,S: Doc.Macro.Obfuscation-6329909-1 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/contact/Maildir/cur/1496316679.M805018P10559V0000000000000901I0000000000EC0A35_0.s1.ultracorporatepixel.com,S=1827:2,: Eicar-Test-Signature FOUND
/home/lxadmin/mail/domains/hostingultraso.com/contact/Maildir/cur/1494693503.M161191P2432V0000000000000901I0000000000EC0736_0.s1.ultracorporatepixel.com,S=3070:2,: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/contact/Maildir/cur/1494692812.M431907P2073V0000000000000901I0000000000EC0734_0.s1.ultracorporatepixel.com,S=3036:2,: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/contact/Maildir/cur/1494727637.M21766P18876V0000000000000901I0000000000EC074C_0.s1.ultracorporatepixel.com,S=3022:2,: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/contact/Maildir/cur/1494716262.M809291P9216V0000000000000901I0000000000EC0742_0.s1.ultracorporatepixel.com,S=3103:2,: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/contact/Maildir/cur/1500150780.M180942P26247V0000000000000901I0000000000EC0FA4_0.s1.ultracorporatepixel.com,S=238803:2,: Doc.Macro.Obfuscation-6332451-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/contact/Maildir/cur/1494641593.M650810P17187V0000000000000901I0000000000EC072B_0.s1.ultracorporatepixel.com,S=3162:2,: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/contact/Maildir/cur/1494641343.M582624P17029V0000000000000901I0000000000EC0729_0.s1.ultracorporatepixel.com,S=3048:2,: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/contact/Maildir/cur/1494716999.M531597P9478V0000000000000901I0000000000EC0744_0.s1.ultracorporatepixel.com,S=3048:2,: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/contact/Maildir/cur/1494732955.M786678P23630V0000000000000901I0000000000EC0754_0.s1.ultracorporatepixel.com,S=3092:2,: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/contact/Maildir/cur/1498304246.M918966P14953V0000000000000901I0000000000EC0D74_0.s1.ultracorporatepixel.com,S=390914:2,: Doc.Macro.Obfuscation-6331107-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/contact/Maildir/cur/1494692004.M166392P1535V0000000000000901I0000000000EC0731_0.s1.ultracorporatepixel.com,S=3263:2,: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/contact/Maildir/cur/1494732271.M465730P23180V0000000000000901I0000000000EC0752_0.s1.ultracorporatepixel.com,S=3139:2,: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/contact/Maildir/cur/1494717937.M487424P10327V0000000000000901I0000000000EC0748_0.s1.ultracorporatepixel.com,S=2977:2,: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/contact/Maildir/cur/1494717711.M249708P10122V0000000000000901I0000000000EC0746_0.s1.ultracorporatepixel.com,S=3097:2,: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/contact/Maildir/cur/1494543140.M672273P17076V0000000000000901I0000000000EC06F0_0.s1.ultracorporatepixel.com,S=3024:2,S: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/contact/Maildir/cur/1494545118.M792128P17941V0000000000000901I0000000000EC06F7_0.s1.ultracorporatepixel.com,S=3130:2,S: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/contact/Maildir/cur/1494640606.M669613P16646V0000000000000901I0000000000EC0727_0.s1.ultracorporatepixel.com,S=3063:2,: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/contact/Maildir/cur/1500292461.M535880P20626V0000000000000901I0000000000EC0FC1_0.s1.ultracorporatepixel.com,S=242953:2,: Doc.Macro.Obfuscation-6332451-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/contact/Maildir/cur/1494692636.M598024P1906V0000000000000901I0000000000EC0733_0.s1.ultracorporatepixel.com,S=3187:2,: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/contact/Maildir/cur/1494640444.M873872P16510V0000000000000901I0000000000EC0726_0.s1.ultracorporatepixel.com,S=3257:2,: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/contact/Maildir/cur/1500507152.M446274P30309V0000000000000901I0000000000EC1001_0.s1.ultracorporatepixel.com,S=243832:2,: Doc.Macro.Obfuscation-6332451-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/contact/Maildir/cur/1494639664.M155073P16228V0000000000000901I0000000000EC0724_0.s1.ultracorporatepixel.com,S=3142:2,: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/contact/Maildir/cur/1494729613.M796607P20275V0000000000000901I0000000000EC0750_0.s1.ultracorporatepixel.com,S=3107:2,: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/contact/Maildir/cur/1500363452.M755031P10419V0000000000000901I0000000000EC0FD9_0.s1.ultracorporatepixel.com,S=236114:2,: Doc.Macro.Obfuscation-6332451-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/contact/Maildir/cur/1494693796.M87410P2648V0000000000000901I0000000000EC0738_0.s1.ultracorporatepixel.com,S=3128:2,: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/contact/Maildir/cur/1494543767.M975377P17396V0000000000000901I0000000000EC06F3_0.s1.ultracorporatepixel.com,S=3124:2,S: Email.Phishing.VOF2-6314030-0 FOUND
/home/lxadmin/mail/domains/hostingultraso.com/contact/Maildir/cur/1494545085.M188037P17812V0000000000000901I0000000000EC06F5_0.s1.ultracorporatepixel.com,S=3136:2,S: Email.Phishing.VOF2-6314030-0 FOUND
/sigs/rfxn.yara: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND
/sigs/md5v2.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/sigs/md5.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/sigs/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/sigs/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/sigs/hex.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/var/lib/clamav/rfxn.yara: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND
/var/lib/clamav/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/var/lib/clamav/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND

What should I do now? It seems that most of the emails are effected?

Offline putude

  • Valuable Member
  • *
  • Posts: 61
  • Karma: +0/-0
    • View Profile
Re: Server infected with Virus
« Reply #9 on: 2017-09-18, 02:46:52 »
Hi Sandipcd and Mustafa,

Is it safe to delete the files (in this case)
/home/lxadmin/mail/domains/hostingultraso.com/sales/Maildir/cur/* ?
I have same case too.
I check Clamd is running but it passed the virus, even EICAR virus test.
When I use Clamscan, the viruses were detected.
Can we set Clamav to delete all email containing virus automatically ?

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,382
  • Karma: +115/-9
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Server infected with Virus
« Reply #10 on: 2017-09-18, 05:28:32 »
Investigate '/etc/clamd.conf' file.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

 


Top 4 Global Search Engines:    Google    Bing    Baidu    Yahoo
Click Here

Page created in 0.049 seconds with 19 queries.

web stats analysis