Virus/Malavare removal

Started by Мel, February 02, 2020, 09:34:29 AM

Previous topic - Next topic

Мel

Hi all.
I've been struggling with a virus issue for a while.
cPanel virus scan shows come cache files infected with YARA-something virus. I always check "destroy", but it keeps coming back. No suspicious files on my FTP, no suspicious modifications.
Any tips how to handle it? I'm out of ideas.
"The ability to speak does not make you intelligent."
- Qui-Gon Jinn

Looking

What do your error logs say... it can point to probable files causing it? Are you on shared hosting?

Illori

i bet it is false positives. your cache files are rebuilt every so often. so i doubt you have any virus. without the details of the infection we cannot tell you for sure what is going on.

SpacePhoenix

As a precaution change your FTP password with the new password being a strong password

d3vcho

Also, please run your antivirus in your personal computer.
"Greeting Death as an old friend, they departed this life as equals"

a10

Forum files cache, or image cache. & have you asked the host's tech dept. for an opinion.

The cpanel av seems to show exactly what it's flagging, what I'd do is download them and check with normal av + sites like https://www.virustotal.com.
2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

Sir Osis of Liver

Unless you have a very busy forum, disable caching in Server Settings and delete cache files.  You don't need it and it can cause other problems.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Shambles

Just wondering what strange breed of infection is called "Malavare"...

Мel

Quote from: Looking on February 02, 2020, 10:58:53 AM
What do your error logs say... it can point to probable files causing it? Are you on shared hosting?
Logged by cPanel antivirus:
/forum/cache/data_24ea2800a6f49c32b4f6ee4b0f1420d8-SMF-modSettings.php - YARA.r57shell_php_php.UNOFFICIAL            
forum/cache/data_47f8102dac1630bbe03a0a988e4c271c-SMF-modSettings.php - YARA.r57shell_php_php.UNOFFICIAL

Quote from: Illori on February 02, 2020, 11:09:25 AM
i bet it is false positives. your cache files are rebuilt every so often. so i doubt you have any virus. without the details of the infection we cannot tell you for sure what is going on.
Log from cPanel antivirus is above.
Quote from: SpacePhoenix on February 02, 2020, 02:48:25 PM
As a precaution change your FTP password with the new password being a strong password
I've changed that earlier, but no harm doing it one more time.
Quote from: a10 on February 02, 2020, 03:52:31 PM
Forum files cache, or image cache. & have you asked the host's tech dept. for an opinion.

The cpanel av seems to show exactly what it's flagging, what I'd do is download them and check with normal av + sites like https://www.virustotal.com.
They're aware of its existence and their own antivirus kills it from time to time, that's it.
Quote from: Sir Osis of Liver on February 02, 2020, 04:56:22 PM
Unless you have a very busy forum, disable caching in Server Settings and delete cache files.  You don't need it and it can cause other problems.
Wow, I actually can try this, thanks.

Thank you all for your time and attention.
"The ability to speak does not make you intelligent."
- Qui-Gon Jinn

Sir Osis of Liver

/forum/cache/data_24ea2800a6f49c32b4f6ee4b0f1420d8-SMF-modSettings.php - YARA.r57shell_php_php.UNOFFICIAL            
forum/cache/data_47f8102dac1630bbe03a0a988e4c271c-SMF-modSettings.php - YARA.r57shell_php_php.UNOFFICIAL


That's actually a known bug, nothing to do with virus.  If you disable caching and delete /cache files it will be fixed.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Illori

actually it is not a known issue that this file is flagged as a virus. you can disable cache but if your forum is busy or large it could slow it down. if you have no other issues i would ignore this.

Мel

Thanks guys! After disabling cache the problem seems to be gone. I'd never thought that it's not a bug, but a feature :)

Much appreciated, case closed.
"The ability to speak does not make you intelligent."
- Qui-Gon Jinn

Sir Osis of Liver

Quote from: Illori on February 04, 2020, 04:53:12 AM
actually it is not a known issue that this file is flagged as a virus.

That's not what I meant, cpanel scan may be misinterpreting the known error as a virus.  But anyway, it's fixed.

Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Kindred

Just to note... disabling the cache is not the best choice, in many cases... especially on a busy site
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Sir Osis of Liver

Quote from: Sir Osis of Liver on February 02, 2020, 04:56:22 PM
Unless you have a very busy forum, disable caching in Server Settings and delete cache files.  You don't need it and it can cause other problems.

   ;)
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Kindred

not even "very" busy.  The cache can help in cases of even "just a little bit busy"

Your constant suggestions that people disable the cache are often not the best solution.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Мel

Quote from: Kindred on February 04, 2020, 04:06:17 PM
Just to note... disabling the cache is not the best choice, in many cases... especially on a busy site
Not that busy. So far so good. But I'll keep an eye on it.

Thanks again, guys.
"The ability to speak does not make you intelligent."
- Qui-Gon Jinn

Sir Osis of Liver

I've disabled cache on many of the forums I've worked on, and my own prod forums, it's never made any difference in load times.  The forums I've seen with slow loads are invariably due to server issues.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Мel

Still works fine. 49 users in 7 days, about 100-150 posts, no complains.
"The ability to speak does not make you intelligent."
- Qui-Gon Jinn

Illori

you might see it still working but it will put more load on your server and your host may talk to you about it depending on how much load it puts on the server.

Мel

Quote from: Illori on February 08, 2020, 05:16:11 AM
you might see it still working but it will put more load on your server and your host may talk to you about it depending on how much load it puts on the server.
Will see. They were concerned about the "virus".
"The ability to speak does not make you intelligent."
- Qui-Gon Jinn

Illori

then they should also be aware of false positives. if they are not then I would start looking for a new host.

Мel

Quote from: Illori on February 10, 2020, 07:13:12 AM
then they should also be aware of false positives. if they are not then I would start looking for a new host.
It's actually a very good host with modest pricing and prompt, efficient & user-friendly tech support. I'll stick by it.
"The ability to speak does not make you intelligent."
- Qui-Gon Jinn

shawnb61

#23
Did a little bit of research.  So, breaking down the message...

data_24ea2800a6f49c32b4f6ee4b0f1420d8-SMF-modSettings.php - This is a cached version of your settings table
YARA - Yara is a common text-search-based malware detection tool
r57shell  - is a common malware script out there
UNOFFICIAL - Unofficial means the AV test is not using the official signed version of the signatures.  In my (limited) understanding, this is usually done for testing purposes.

So... 

There is a string in your settings table that triggers your AV to generate a warning.  These are usually false positives.  But not always. 

This query should help you find the suspicious setting:
SELECT * FROM `smf_settings` WHERE variable like '%r57%' or value like '%r57%';

(If your table prefix is not "smf_", then change the query accordingly...)

Do you have any anti-spam or anti-malware mods installed?   E.g., Forum Firewall?  That would do it. 

As noted above, cache is important as your site grows.  Disabling it is only a short-term solution. 

If you confirm this is a bogus find, your host should be able to disable that check. 




Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Advertisement: