Remove website viruses from the command line.

By On May 12, 2015 · Leave a Comment

As we normally do the first issue was to find how or under what circumstances this virus got on the site and after some research we found that several of this client office computers were actually infected with several viruses, the first step was to change all the password of the site itself, including emails, FTP and databases, after that we proceed to take care of the site, as you can imagine, the site has many documents that could in any case being compromised and based on the information we got from the virus, relating on file timestamps was not the most recommendable solution, so this is how we resolved the problem.

Making use of cpanel’s antivirus tool ‘clamscan’ we proceed to scan the whole site.

Note: As you are using cpanel your clamscan should be located within the shown path, in case you make the clamscan installation manually then you’ll need to find the correct path to run it.

Scan a particular user account in cpanel server

We used the below method to run the antivirus to particular user account.

root@server [~]# /usr/local/cpanel/3rdparty/bin/clamscan -ri /home/user_site/public_html

Which will lead you to the following output:

LibClamAV Warning: **************************************************
LibClamAV Warning: ***  The virus database is older than 7 days!  ***
LibClamAV Warning: ***   Please update it as soon as possible.    ***
LibClamAV Warning: **************************************************
LibClamAV Warning: Detected duplicate databases /usr/local/cpanel/3rdparty/share/clamav/main.cvd and /usr/local/cpanel/3rdparty/share/clamav/main.cld. The /usr/local/cpanel/3rdparty/share/clamav/main.cvd database is older and will not be loaded, you should manually remove it from the database directory.
/home/user_site/public_html/css/index2CDEN.php: PHP.Trojan.Spambot FOUND
/home/user_site/public_html/images/infocf5D.php: PHP.Trojan.Spambot FOUND

----------- SCAN SUMMARY -----------
Known viruses: 3914119
Engine version: 0.98.1
Scanned directories: 257
Scanned files: 2066
Infected files: 2
Data scanned: 61.04 MB
Data read: 43.68 MB (ratio 1.40:1)
Time: 17.003 sec (0 m 17 s)

Verify the infected files and remove it.
The major common options for clamav command.

-r: To check files Recursively.
-i: To show only Infected files.

Scan all accounts in your cpanel server

If you desire you can run the the antivirus on the whole entire /home directory by using the following code, of course, this will take some time to give you a full report, it all depend on how many sites you have into your /home directory.

root@server [~]# /usr/local/cpanel/3rdparty/bin/clamscan -ri /home

With the following output:

LibClamAV Warning: **************************************************
LibClamAV Warning: ***  The virus database is older than 7 days!  ***
LibClamAV Warning: ***   Please update it as soon as possible.    ***
LibClamAV Warning: **************************************************
LibClamAV Warning: SWF: Invalid tag length.
LibClamAV Warning: SWF: Invalid tag length.
LibClamAV Warning: SWF: Invalid tag length.
LibClamAV Warning: SWF: Invalid tag length.
LibClamAV Warning: SWF: Invalid tag length.
LibClamAV Warning: SWF: Invalid tag length.
LibClamAV Warning: SWF: Invalid tag length.
LibClamAV Warning: SWF: Invalid tag length.
/home/wwwrival/mail/***.com/***/cur/1369241351.H225665P9618.pulzar.websitedns.in,S=13655:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/wwwrival/mail/***.com/***/cur/1373629381.H538317P10139.pulzar.websitedns.in,S=13643:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/wwwrival/mail/***.com/***/cur/1377272646.H250116P28818.pulzar.websitedns.in,S=10573:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/wwwrival/mail/***.com/***/cur/1373456944.H789131P14873.pulzar.websitedns.in,S=7667:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/wwwrival/mail/***.com/***/cur/1372943042.H867678P9216.pulzar.websitedns.in,S=27885:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/wwwrival/mail/***.com/***/cur/1377187208.H971256P14839.pulzar.websitedns.in,S=13721:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/wwwrival/mail/***.com/***/cur/1377086926.H165198P21099.pulzar.websitedns.in,S=13661:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/wwwrival/mail/***.com/***/cur/1374309615.H328431P28698.pulzar.websitedns.in,S=14013:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/wwwrival/mail/***.com/***/cur/1372080212.H153799P1749.pulzar.websitedns.in,S=9159:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/wwwrival/mail/***.com/***/cur/1371828680.H677506P7246.pulzar.websitedns.in,S=13843:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/wwwrival/mail/***.com/***/cur/1374171992.H628051P4660.pulzar.websitedns.in,S=9646:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/wwwrival/mail/***.com/***/cur/1377095778.H771486P16601.pulzar.websitedns.in,S=14029:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/wwwrival/mail/***.com/***/cur/1377693735.H451187P666.pulzar.websitedns.in,S=13406:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/wwwrival/mail/***.com/***/cur/1363760036.H758337P27813.iaaxin.in,S=13644:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/wwwrival/mail/***.com/***/cur/1377700492.H306051P4299.pulzar.websitedns.in,S=7676:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/wwwrival/mail/***.com/***/cur/1366047546.H429894P30290.pulzar.websitedns.in,S=13633:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/wwwrival/mail/***.com/***/cur/1371650603.H329980P11069.pulzar.websitedns.in,S=13643:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/wwwrival/mail/***.com/***/cur/1373462154.H202528P5728.pulzar.websitedns.in,S=13391:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/wwwrival/mail/***.com/***/cur/1364218801.H643537P13723.iaaxin.in,S=8332:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/wwwrival/mail/***.com/***/cur/1377233291.H554735P3322.pulzar.websitedns.in,S=7676:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/wwwrival/mail/***.com/***/cur/1376416460.H154905P5529.pulzar.websitedns.in,S=9654:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/wwwrival/mail/***.com/***/cur/1375977055.H728336P17626.pulzar.websitedns.in,S=9983:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/wwwrival/mail/***.com/***/cur/1377263987.H446629P21729.pulzar.websitedns.in,S=9648:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/wwwrival/mail/***.com/***/cur/1372079262.H594830P22596.pulzar.websitedns.in,S=9151:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/wwwrival/mail/***.com/***/cur/1376320329.H488985P28818.pulzar.websitedns.in,S=9641:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/user_site/mail/user_siteders.in/info/new/1387874529.H439506P557907.182.71.233.77.iaaxin.com,S=20758: Heuristics.Phishing.Email.SpoofedDomain FOUND
LibClamAV Warning: SWF: Invalid tag length.
/home/forefor/mail/new/1368469015.H94641P6763.pulzar.websitedns.in,S=9864: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/forefor/mail/new/1363198618.H889178P16354.iaaxin.in,S=10046: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/forefor/mail/new/1362409749.H919432P11531.iaaxin.in,S=9967: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/forefor/mail/new/1361984937.H541722P30696.iaaxin.in,S=9982: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/forefor/mail/new/1369690920.H24514P2643.pulzar.websitedns.in,S=9844: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/forefor/mail/new/1362076650.H603724P3839.iaaxin.in,S=9944: Heuristics.Phishing.Email.SpoofedDomain FOUND
LibClamAV Warning: SWF: Invalid tag length.

----------- SCAN SUMMARY -----------
Known viruses: 3914119
Engine version: 0.98.1
Scanned directories: 70469
Scanned files: 1688827
Infected files: 32
Data scanned: 23658.66 MB
Data read: 44894.86 MB (ratio 0.53:1)
Time: 7090.407 sec (118 m 10 s)
Verify the infected files and remove it.

Scan all public_html directories on server?

Use the following command to run the antivirus on every public_html directory within your server.

root@server [~]# /usr/local/cpanel/3rdparty/bin/clamscan -ri /home/*/public_html

Remove all infected files

use this command to remove all infected files from the server while scanning, keep in mind this process will delete all infected files with no distinction, this could really destroy your site as needed file are deleted.

root@server [~]# /usr/local/cpanel/3rdparty/bin/clamscan -ri –remove /home/*/public_html

Hope this information help and you never have to use it!

Tagged with:
 
If you enjoyed this article, please consider sharing it!
Reddit Facebook Twitter Delicious

Leave a Reply

Your email address will not be published. Required fields are marked *

Cheap Oakley Sunglasses Fifa Coins Fifa Coins Cheap Fifa Coins buy cheap fifa coins buy fifa coins cheap fifa coins fifa coins sale Fifa Coins cheap fifa coins sale fifa coins for sale cheap fifa coins price