What to do if Maldet reports Malware on your server
Assuming you have configured Maldet to send you notifications of Malware hits. Once you receive an email warning you will want to know what Maldet has found. Usually, hits on suspected Malware will be moved to the quarantine folder. If you have automatic cleaning enabled, Maldet will try to clean the Malware from the Linux Server automatically.
Maldet Malware Hit Warning
So, Maldet has warned us it’s found suspected Malware in a user’s directory. The Malware is on a Linux Server. But, from this report, we know a lot of information about the incident including;
- The server on which the Malware was found (for security we have removed this).
- The scan ID and some other useful information.
- We can see this is likely to be a WordPress site because the file was located in a folder called wp-content.
- It was moved to the quarantine folder /usr/local/maldetect/quarantine/db95.php.127046672.
Just the fact that Maldet has found a hit is reason enough to take action. Either the user has uploaded this file or the account is compromised and a malicious user has access to it. As a rule of thumb, Next, we want to know what the file is and what it was doing on our server.
The Maldet File Hit List
The file hit list states the file in question is an {HEX}php.base64.v23au.185 and we don’t even need to ask Google what that is because we see many of these. {HEX}php.base64.v23au.185 is a program that will churn out thousands of spam emails which will result in your server’s IP address becoming blacklisted. That won’t happen in our case because we impose strict limits on the amount of emails our resellers and their customers can send.
Further Steps
As the account is likely compromised there are a few things the reseller will need to do to get access back to this site. For security, we won’t allow a user access to his account until they agree to perform some tasks to resolve the situation. As this is a WordPress site they will need to
- Update WordPress to the latest version
- Update all plugins to the latest versions
- Change all FTP passwords
- Change account password
Assuming the user performs the above steps the account can then be treated as being secure again. But for a full list of Maldet command see our Maldet commands blog post.