Ticket Example : FSS-579-11696
Maldet is a commonly using malware detector for Linux based server. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. It can also lead to some inaccessible website. To overcome the issue, you can restore the maldet alert by following the steps below.
Once SSH to the server, you must identify the directory of the domain folder and change the directory by typing:
cd /home/vapedmy/public_html/onesoho.org
Once entering the directory, execute the command line below to list down all the maldet alert by day and time. Here, it will display the total maldet alert for the website.
maldet --report list
Below are how the maldet list will prompt out once you execute the previous command line. “HITS” defines the total number of maldet alert that has been injected to the file.
This program may be freely redistributed under the terms of the GNU GPL v2
Sep 27 2017 03:39:49 | SCANID: 170927-0339.115346 | RUNTIME: 117s | FILES: 33624 | HITS:40 | CLEANED: 0
Sep 26 2017 03:42:07 | SCANID: 170926-0342.472734 | RUNTIME: 560s | FILES: 41120 | HITS: 3 | CLEANED: 0
Sep 25 2017 23:00:02 | SCANID: 170925-2300.128888 | RUNTIME: 668s | FILES: 53738 | HITS: 5 | CLEANED: 0
Sep 24 2017 03:35:15 | SCANID: 170925-0335.610443 | RUNTIME: 432s | FILES: 11729 | HITS: 1 | CLEANED: 0
In order to go specifically into each of the infected files, choose the ScanID from the report list above. Type,
maldet --report
Below are some example of each files which are infected.
FILE HIT LIST:
{HEX}php.exe.globals.406 : /home/tvsvisa/public_html/rglosaiw/goren/new.php => /usr/local/maldetect/quarantine/new.php.199828984
{HEX}php.exe.globals.406 : /home/tvsvisa/public_html/ce619/rglosaiw.zip => /usr/local/maldetect/quarantine/rglosaiw.zip.542318574
{HEX}php.exe.globals.406 : /home/tvsvisa/public_html/ce619/goren/new.php => /usr/local/maldetect/quarantine/new.php.279403920
{HEX}php.exe.globals.406 : /home/tvsvisa/public_html/rglosaiw.zip => /usr/local/maldetect/quarantine/rglosaiw.zip.179217585
{HEX}php.exe.globals.406 : /home/tvsvisa/public_html/e7f5/rglosaiw.zip => /usr/local/maldetect/quarantine/rglosaiw.zip.2620821441
{HEX}php.exe.globals.406 : /home/tvsvisa/public_html/e7f5/goren/new.php => /usr/local/maldetect/quarantine/hqyaxvlm.php.13767604
Lastly, you can delete each file which have unusual .php filename such as “hqyaxvlm.php.13767604” .
Execute the command line below,
maldet --restore /usr/local/maldetect/quarantine/rglosaiw.zip.542318574
If the file has been deleted beforehand, it will display
maldet(965391): {restore} invalid file or could not be found
In order for you to temporarily disable the auto quarantine, you can type the following lines
crontab -e
You will then find many lines of scripting. Search for “maldet” and add # (comment) to the line.
#SHELL="/bin/bash"
#00 23 * * * /usr/local/sbin/maldet -a /home/?/public_html > /dev/null 2>&1