Maldet Hit warning
Assuming you have configured Maldet to send you notifications of Malware hits. Once you receive an email warning you will want to know what Maldet has found. Usually, hits on suspected Malware will be moved to the quarantine folder. If you have automatic cleaning enabled Maldet will try to clean the file first.
Maldet Hit Warning
So, Maldet has warned us it’s found suspected Malware in a users directory
But, from this report we know a lot of information about the incident including;
- The server which the Malware was found on (for security we have removed this).
- The scan ID and some other useful information.
- We can see this is likely to be WordPress site because the file was located in a folder called wp-content.
- It was moved to the quarantine folder /usr/local/maldetect/quarantine/db95.php.127046672.
First things first
Just that fact that Maldet has found a hit is reason enough to suspend the account. Either the user has uploaded this file or the account is compromised and a malicious user has access to it. As a rule of thumb, we’re going to suspend this account straight away. Next, we want to know what the file is and what it was doing on our server.
The File Hit List
The file hit list states the file in question is an {HEX}php.base64.v23au.185 and we don’t even need to ask Google what that is because we see many of these. {HEX}php.base64.v23au.185 is a program that will churn out thousands of spam emails which will result in your server’s IP address becoming blacklisted. That won’t happen in our case because we impose strict limits on the amount of emails our resellers and their customers can send.
Further Steps
As the account is likely compromised there are a few things the reseller will need to do to get access back to this site. For security, we won’t allow a user access to his account until they agree to perform some tasks to resolve the situation. As this is a WordPress site they will need to
- Update WordPress to the latest version
- Update all plugins to the latest versions
- Change all FTP passwords
- Change account password
Assuming the user performs the above steps the account can then be treated as being secure again. But for a full list of Maldet command see our Maldet commands blog post.
How was this article? Maldet Hit warning
More from All About Linux
Install Ioncube Loaders In Ubuntu, Debian, CentOS and AlmaLinux
Ioncube Loaders are a piece of software that is used to protect the underlying code in PHP applications. Its aim …
How to install FTP and configure FTP on an Ubuntu 22 LTS instance
If you need to upload files to your NVMe VPS you have a couple of options. You can use a …
How to install a Cloudflare Origin SSL Certificate – NGINX
An SSL Certificate is vital to encrypt data between you and your clients. SSLs can be complicated things. If they …