Virus/Malavare removal

Мel · February 02, 2020, 09:34:29 AM

Hi all.
I've been struggling with a virus issue for a while.
cPanel virus scan shows come cache files infected with YARA-something virus. I always check "destroy", but it keeps coming back. No suspicious files on my FTP, no suspicious modifications.
Any tips how to handle it? I'm out of ideas.

Looking · February 02, 2020, 10:58:53 AM

What do your error logs say... it can point to probable files causing it? Are you on shared hosting?

Illori · February 02, 2020, 11:09:25 AM

i bet it is false positives. your cache files are rebuilt every so often. so i doubt you have any virus. without the details of the infection we cannot tell you for sure what is going on.

SpacePhoenix · February 02, 2020, 02:48:25 PM

As a precaution change your FTP password with the new password being a strong password

d3vcho · February 02, 2020, 03:15:43 PM

Also, please run your antivirus in your personal computer.

a10 · February 02, 2020, 03:52:31 PM

Forum files cache, or image cache. & have you asked the host's tech dept. for an opinion.

The cpanel av seems to show exactly what it's flagging, what I'd do is download them and check with normal av + sites like https://www.virustotal.com.

Sir Osis of Liver · February 02, 2020, 04:56:22 PM

Unless you have a very busy forum, disable caching in Server Settings and delete cache files. You don't need it and it can cause other problems.

Shambles · February 02, 2020, 05:26:54 PM

Just wondering what strange breed of infection is called "Malavare"...

Мel · February 03, 2020, 01:20:06 PM

Quote from: Looking on February 02, 2020, 10:58:53 AM
What do your error logs say... it can point to probable files causing it? Are you on shared hosting?

Logged by cPanel antivirus:
/forum/cache/data_24ea2800a6f49c32b4f6ee4b0f1420d8-SMF-modSettings.php - YARA.r57shell_php_php.UNOFFICIAL
forum/cache/data_47f8102dac1630bbe03a0a988e4c271c-SMF-modSettings.php - YARA.r57shell_php_php.UNOFFICIAL

Quote from: Illori on February 02, 2020, 11:09:25 AM
i bet it is false positives. your cache files are rebuilt every so often. so i doubt you have any virus. without the details of the infection we cannot tell you for sure what is going on.

Log from cPanel antivirus is above.

Quote from: SpacePhoenix on February 02, 2020, 02:48:25 PM
As a precaution change your FTP password with the new password being a strong password

I've changed that earlier, but no harm doing it one more time.

Quote from: a10 on February 02, 2020, 03:52:31 PM
Forum files cache, or image cache. & have you asked the host's tech dept. for an opinion.

The cpanel av seems to show exactly what it's flagging, what I'd do is download them and check with normal av + sites like https://www.virustotal.com.

They're aware of its existence and their own antivirus kills it from time to time, that's it.

Quote from: Sir Osis of Liver on February 02, 2020, 04:56:22 PM
Unless you have a very busy forum, disable caching in Server Settings and delete cache files. You don't need it and it can cause other problems.

Wow, I actually can try this, thanks.

Thank you all for your time and attention.

Sir Osis of Liver · February 03, 2020, 09:14:26 PM

/forum/cache/data_24ea2800a6f49c32b4f6ee4b0f1420d8-SMF-modSettings.php - YARA.r57shell_php_php.UNOFFICIAL
forum/cache/data_47f8102dac1630bbe03a0a988e4c271c-SMF-modSettings.php - YARA.r57shell_php_php.UNOFFICIAL

That's actually a known bug, nothing to do with virus. If you disable caching and delete /cache files it will be fixed.

Illori · February 04, 2020, 04:53:12 AM

actually it is not a known issue that this file is flagged as a virus. you can disable cache but if your forum is busy or large it could slow it down. if you have no other issues i would ignore this.

Мel · February 04, 2020, 03:13:05 PM

Thanks guys! After disabling cache the problem seems to be gone. I'd never thought that it's not a bug, but a feature

Much appreciated, case closed.

Sir Osis of Liver · February 04, 2020, 03:59:34 PM

Quote from: Illori on February 04, 2020, 04:53:12 AM
actually it is not a known issue that this file is flagged as a virus.

That's not what I meant, cpanel scan may be misinterpreting the known error as a virus. But anyway, it's fixed.

Kindred · February 04, 2020, 04:06:17 PM

Just to note... disabling the cache is not the best choice, in many cases... especially on a busy site

Sir Osis of Liver · February 04, 2020, 05:04:38 PM

Quote from: Sir Osis of Liver on February 02, 2020, 04:56:22 PM
Unless you have a very busy forum, disable caching in Server Settings and delete cache files. You don't need it and it can cause other problems.

Kindred · February 05, 2020, 12:57:23 PM

not even "very" busy. The cache can help in cases of even "just a little bit busy"

Your constant suggestions that people disable the cache are often not the best solution.

Мel · February 05, 2020, 01:43:36 PM

Quote from: Kindred on February 04, 2020, 04:06:17 PM
Just to note... disabling the cache is not the best choice, in many cases... especially on a busy site

Not that busy. So far so good. But I'll keep an eye on it.

Thanks again, guys.

Sir Osis of Liver · February 05, 2020, 09:22:49 PM

I've disabled cache on many of the forums I've worked on, and my own prod forums, it's never made any difference in load times. The forums I've seen with slow loads are invariably due to server issues.

Мel · February 08, 2020, 04:24:51 AM

Still works fine. 49 users in 7 days, about 100-150 posts, no complains.

Illori · February 08, 2020, 05:16:11 AM

you might see it still working but it will put more load on your server and your host may talk to you about it depending on how much load it puts on the server.

News:

Virus/Malavare removal