Virus/Malavare removal

Мel · February 02, 2020, 09:34:29 AM

Hi all.
I've been struggling with a virus issue for a while.
cPanel virus scan shows come cache files infected with YARA-something virus. I always check "destroy", but it keeps coming back. No suspicious files on my FTP, no suspicious modifications.
Any tips how to handle it? I'm out of ideas.

Looking · February 02, 2020, 10:58:53 AM

What do your error logs say... it can point to probable files causing it? Are you on shared hosting?

Illori · February 02, 2020, 11:09:25 AM

i bet it is false positives. your cache files are rebuilt every so often. so i doubt you have any virus. without the details of the infection we cannot tell you for sure what is going on.

SpacePhoenix · February 02, 2020, 02:48:25 PM

As a precaution change your FTP password with the new password being a strong password

d3vcho · February 02, 2020, 03:15:43 PM

Also, please run your antivirus in your personal computer.

a10 · February 02, 2020, 03:52:31 PM

Forum files cache, or image cache. & have you asked the host's tech dept. for an opinion.

The cpanel av seems to show exactly what it's flagging, what I'd do is download them and check with normal av + sites like https://www.virustotal.com.

Sir Osis of Liver · February 02, 2020, 04:56:22 PM

Unless you have a very busy forum, disable caching in Server Settings and delete cache files. You don't need it and it can cause other problems.

Shambles · February 02, 2020, 05:26:54 PM

Just wondering what strange breed of infection is called "Malavare"...

Мel · February 03, 2020, 01:20:06 PM

Quote from: Looking on February 02, 2020, 10:58:53 AM
What do your error logs say... it can point to probable files causing it? Are you on shared hosting?

Logged by cPanel antivirus:
/forum/cache/data_24ea2800a6f49c32b4f6ee4b0f1420d8-SMF-modSettings.php - YARA.r57shell_php_php.UNOFFICIAL
forum/cache/data_47f8102dac1630bbe03a0a988e4c271c-SMF-modSettings.php - YARA.r57shell_php_php.UNOFFICIAL

Quote from: Illori on February 02, 2020, 11:09:25 AM
i bet it is false positives. your cache files are rebuilt every so often. so i doubt you have any virus. without the details of the infection we cannot tell you for sure what is going on.

Log from cPanel antivirus is above.

Quote from: SpacePhoenix on February 02, 2020, 02:48:25 PM
As a precaution change your FTP password with the new password being a strong password

I've changed that earlier, but no harm doing it one more time.

Quote from: a10 on February 02, 2020, 03:52:31 PM
Forum files cache, or image cache. & have you asked the host's tech dept. for an opinion.

The cpanel av seems to show exactly what it's flagging, what I'd do is download them and check with normal av + sites like https://www.virustotal.com.

They're aware of its existence and their own antivirus kills it from time to time, that's it.

Quote from: Sir Osis of Liver on February 02, 2020, 04:56:22 PM
Unless you have a very busy forum, disable caching in Server Settings and delete cache files. You don't need it and it can cause other problems.

Wow, I actually can try this, thanks.

Thank you all for your time and attention.

Sir Osis of Liver · February 03, 2020, 09:14:26 PM

/forum/cache/data_24ea2800a6f49c32b4f6ee4b0f1420d8-SMF-modSettings.php - YARA.r57shell_php_php.UNOFFICIAL
forum/cache/data_47f8102dac1630bbe03a0a988e4c271c-SMF-modSettings.php - YARA.r57shell_php_php.UNOFFICIAL

That's actually a known bug, nothing to do with virus. If you disable caching and delete /cache files it will be fixed.

Illori · February 04, 2020, 04:53:12 AM

actually it is not a known issue that this file is flagged as a virus. you can disable cache but if your forum is busy or large it could slow it down. if you have no other issues i would ignore this.

Мel · February 04, 2020, 03:13:05 PM

Thanks guys! After disabling cache the problem seems to be gone. I'd never thought that it's not a bug, but a feature

Much appreciated, case closed.

Sir Osis of Liver · February 04, 2020, 03:59:34 PM

Quote from: Illori on February 04, 2020, 04:53:12 AM
actually it is not a known issue that this file is flagged as a virus.

That's not what I meant, cpanel scan may be misinterpreting the known error as a virus. But anyway, it's fixed.

Kindred · February 04, 2020, 04:06:17 PM

Just to note... disabling the cache is not the best choice, in many cases... especially on a busy site

Sir Osis of Liver · February 04, 2020, 05:04:38 PM

Quote from: Sir Osis of Liver on February 02, 2020, 04:56:22 PM
Unless you have a very busy forum, disable caching in Server Settings and delete cache files. You don't need it and it can cause other problems.

Kindred · February 05, 2020, 12:57:23 PM

not even "very" busy. The cache can help in cases of even "just a little bit busy"

Your constant suggestions that people disable the cache are often not the best solution.

Мel · February 05, 2020, 01:43:36 PM

Quote from: Kindred on February 04, 2020, 04:06:17 PM
Just to note... disabling the cache is not the best choice, in many cases... especially on a busy site

Not that busy. So far so good. But I'll keep an eye on it.

Thanks again, guys.

Sir Osis of Liver · February 05, 2020, 09:22:49 PM

I've disabled cache on many of the forums I've worked on, and my own prod forums, it's never made any difference in load times. The forums I've seen with slow loads are invariably due to server issues.

Мel · February 08, 2020, 04:24:51 AM

Still works fine. 49 users in 7 days, about 100-150 posts, no complains.

Illori · February 08, 2020, 05:16:11 AM

you might see it still working but it will put more load on your server and your host may talk to you about it depending on how much load it puts on the server.

Мel · February 10, 2020, 06:40:33 AM

Quote from: Illori on February 08, 2020, 05:16:11 AM
you might see it still working but it will put more load on your server and your host may talk to you about it depending on how much load it puts on the server.

Will see. They were concerned about the "virus".

Illori · February 10, 2020, 07:13:12 AM

then they should also be aware of false positives. if they are not then I would start looking for a new host.

Мel · February 10, 2020, 02:01:02 PM

Quote from: Illori on February 10, 2020, 07:13:12 AM
then they should also be aware of false positives. if they are not then I would start looking for a new host.

It's actually a very good host with modest pricing and prompt, efficient & user-friendly tech support. I'll stick by it.

shawnb61 · February 10, 2020, 08:38:13 PM

Did a little bit of research. So, breaking down the message...

data_24ea2800a6f49c32b4f6ee4b0f1420d8-SMF-modSettings.php - This is a cached version of your settings table
YARA - Yara is a common text-search-based malware detection tool
r57shell - is a common malware script out there
UNOFFICIAL - Unofficial means the AV test is not using the official signed version of the signatures. In my (limited) understanding, this is usually done for testing purposes.

So...

There is a string in your settings table that triggers your AV to generate a warning. These are usually false positives. But not always.

This query should help you find the suspicious setting:

Code Select

SELECT * FROM `smf_settings` WHERE variable like '%r57%' or value like '%r57%';

(If your table prefix is not "smf_", then change the query accordingly...)

Do you have any anti-spam or anti-malware mods installed? E.g., Forum Firewall? That would do it.

As noted above, cache is important as your site grows. Disabling it is only a short-term solution.

If you confirm this is a bogus find, your host should be able to disable that check.

News:

Virus/Malavare removal