ClamWin Free Antivirus :: View topic

Posted: Thu Jul 13, 2017 10:49 am

Hi,

I am having a cPanel server. I can see since recently many of such culprit files are being uploaded to the CMS software on my server. Once those files are uploaded, such files allow the hacker to send out tons of spam emails and that results in email IP blacklisting.

Following are the screenshots showing sample code present in the malware file. I could see the same pattern on all such files but only function names are different. This is a huge headache now.

https://postimg.org/image/5xwg67unj/

https://postimg.org/image/imhs7za1d/

Code:

server # /usr/local/cpanel/3rdparty/bin/freshclam
ClamAV update process started at Thu Jul 13 06:39:19 2017
main.cld is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
daily.cld is up to date (version: 23559, sigs: 1739625, f-level: 63, builder: neo)
bytecode.cld is up to date (version: 306, sigs: 65, f-level: 63, builder: raynman)
~
server # /usr/local/cpanel/3rdparty/bin/clamscan /usr/local/src/yekmaesa.php
/usr/local/src/yekmaesa.php: OK

----------- SCAN SUMMARY -----------
Known viruses: 6300372
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.16 MB
Data read: 0.08 MB (ratio 2.00:1)
Time: 15.430 sec (0 m 15 s)
~
server # /usr/local/cpanel/3rdparty/bin/clamdscan /usr/local/src/yekmaesa.php
/usr/local/src/yekmaesa.php: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.001 sec (0 m 0 s)

Posted: Thu Jul 13, 2017 9:40 pm

ClamWin uses the scan engine and virus signatures from the Clam AV project. ClamWin does not do any virus analysis or prepare any virus signatures. Please upload the files to Clam AV at https://www.clamav.net/reports/malware on the web. It might help if you scan the file on Virus Total first and past the scan location in the comments section of the upload report.

Thanks for using ClamWin!

Regards,