What to do if Maldet reports a hit warning (Malware)

Maldet Hit warning

Assuming you have configured Maldet to send you notifications of Malware hits. Once you receive an email warning you will want to know what Maldet has found. Usually, hits on suspected Malware will be moved to the quarantine folder. If you have automatic cleaning enabled Maldet will try to clean the file first.

Maldet Hit Warning

So, Maldet has warned us it’s found suspected Malware in a users directory

But, from this report we know a lot of information about the incident including;

• The server which the Malware was found on (for security we have removed this).
• The scan ID and some other useful information.
• We can see this is likely to be WordPress site because the file was located in a folder called wp-content.
• It was moved to the quarantine folder /usr/local/maldetect/quarantine/db95.php.127046672.

First things first

Just that fact that Maldet has found a hit is reason enough to suspend the account. Either the user has uploaded this file or the account is compromised and a malicious user has access to it. As a rule of thumb, we’re going to suspend this account straight away. Next, we want to know what the file is and what it was doing on our server.

The File Hit List

The file hit list states the file in question is an  {HEX}php.base64.v23au.185  and we don’t even need to ask Google what that is because we see many of these. {HEX}php.base64.v23au.185 is a program that will churn out thousands of spam emails which will result in your server’s IP address becoming blacklisted. That won’t happen in our case because we impose strict limits on the amount of emails our resellers and their customers can send.

Further Steps

As the account is likely compromised there are a few things the reseller will need to do to get access back to this site. For security, we won’t allow a user access to his account until they agree to perform some tasks to resolve the situation. As this is a WordPress site they will need to

1. Update WordPress to the latest version
2. Update all plugins to the latest versions
3. Change all FTP passwords
4. Change account password

Assuming the user performs the above steps the account can then be treated as being secure again. But for a full list of Maldet command see our Maldet commands blog post.

How was this article? Maldet Hit warning

More from All About Linux

Install Ioncube Loaders In Ubuntu, Debian, CentOS and AlmaLinux

Posted On June 25, 2022 F2H.Cloud 0

Ioncube Loaders are a piece of software that is used to protect the underlying code in PHP applications. Its aim …

How to install FTP and configure FTP on an Ubuntu 22 LTS instance

Posted On June 13, 2022 F2H.Cloud 0

If you need to upload files to your NVMe VPS you have a couple of options. You can use a …

How to install a Cloudflare Origin SSL Certificate – NGINX

Posted On June 4, 2022 F2H.Cloud 0

An SSL Certificate is vital to encrypt data between you and your clients. SSLs can be complicated things. If they …

Editor Picks

Compatible OS Versions – Linux KVM NVMe VPS

August 6, 2020 0

How To WordPress Prevent Website Hacks

January 8, 2020 0

Set up a website on an Ubuntu using Apache Virtual Hosts

January 30, 2019 0

Create Docker Container And The Basic Docker Commands

September 14, 2018 1