[clamav-users] Installing question

lists at khtech.ca lists at khtech.ca
Wed Mar 27 16:52:58 EDT 2019


If the malware files keep returning, you better check your site permissions and extensions/modules on the site. Moving it to a different hosting company won’t fix it.

Terry

 

From: clamav-users <clamav-users-bounces at lists.clamav.net <mailto:clamav-users-bounces at lists.clamav.net> > On Behalf Of MOHAMED OMAR MAKRAM via clamav-users
Sent: Wednesday, March 27, 2019 12:26 PM
To: ClamAV users ML <clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net> >
Cc: MOHAMED OMAR MAKRAM <adamupaccounting at gmail.com <mailto:adamupaccounting at gmail.com> >
Subject: {Disarmed} Re: [clamav-users] Installing question

 

Thank you, Scott, but that is not the site I am worried about, and I don't have a problem currently because I am paying for virus protection and a firewall at $21 per month for each site. 

I want to stop paying for a virus and a firewall for all my sites and move it out from GoDaddy and put it into Hostgator. I am done with GoDaddy. Right now you won't be able to see any issues because the virus-created files are quarantined. The minute I stop paying for the virus scan and firewall, even if I deleted those quarantined files, I will have them coming back again and again.

 

 

My sites are:

 <https://llink.to/?u=https:%2F%2Fwww.twelvestepjournaling.com%2F&e=465642cfc9f048e98cc85ab6a7990aa6> MailScanner has detected a possible fraud attempt from "llink.to" claiming to be https://www.twelvestepjournaling.com/  

 <https://llink.to/?u=https:%2F%2Fwww.intentionalbeings.com%2F&e=465642cfc9f048e98cc85ab6a7990aa6> MailScanner has detected a possible fraud attempt from "llink.to" claiming to be https://www.intentionalbeings.com/ 

 <https://llink.to/?u=https:%2F%2Fwww.cocreationsmanager.com%2F&e=465642cfc9f048e98cc85ab6a7990aa6> MailScanner has detected a possible fraud attempt from "llink.to" claiming to be https://www.cocreationsmanager.com/ 

  <https://pixel.salesfla.re/img/73d10c5ea4770e89b417f7082ecc684f> 

 

On Wed, Mar 27, 2019 at 10:58 AM SCOTT PACKARD via clamav-users <clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net> > wrote:

There's almost nothing going on on your web site http://tucson-az-cpa.com/.  It should be an easy job to restore it from whatever offline source you have.

If all you're worried about is "visitors to your site they get a message that the site is unsecured", I think getting https:// going is what you're after.

Maybe go and read https://letsencrypt.org/ .

 

Regards, Scott

 

From: clamav-users <clamav-users-bounces at lists.clamav.net <mailto:clamav-users-bounces at lists.clamav.net> > On Behalf Of MOHAMED OMAR MAKRAM via clamav-users
Sent: Wednesday, March 27, 2019 10:32 AM
To: ClamAV users ML <clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net> >
Cc: MOHAMED OMAR MAKRAM <adamupaccounting at gmail.com <mailto:adamupaccounting at gmail.com> >; J.R. <themadbeaker at gmail.com <mailto:themadbeaker at gmail.com> >
Subject: [External] Re: [clamav-users] Installing question

 

I've had this for few months. The only thing i was able to do is to pay for virus protection but it is so expensive. 

Is there a way to find those hidden files? Do you think they are in the db or in the files? 

I am moving out to another server right now. Is there a good process to do this without copying the virus along with the files?

 

Thanks for your help



 

On Wed, Mar 27, 2019 at 10:13 AM J.R. via clamav-users <clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net> > wrote:

> I do not know if the virus is on the server, in the files, or in the db.
> Here is what I know:
> Under each folder of each site, files appear with a name such as:
> f68z319m.php
> When visitors go to my websites, they get a message that the site is
> unsecured
>
> Does this information help identify the issue, or where to look for the
> virus?

Did you look at the contents of those files? Sounds like someone is
exploiting code to upload files which could then be used to do all
sorts of nasty things. That could be an issue with drupal or packages
on your system being out of date. Often that is just the first step
and once they upload one file they use it to upload a lot more in
hidden directories and modifying files and such...

I hope you have a recent backup...

_______________________________________________

clamav-users mailing list
clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net> 
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml




 

-- 

Mohamed Omar Makram, CPA

Osiris CPA, PLLC <http://tucson-az-cpa.com/> 

Tele: (520) 906-1863

Fax: (520) 448-0706

 


_______________________________________________

clamav-users mailing list
clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net> 
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml




 

-- 

Mohamed Omar Makram, CPA

Osiris CPA, PLLC <http://tucson-az-cpa.com/> 

Tele: (520) 906-1863

Fax: (520) 448-0706

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190327/724e8805/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 823 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190327/724e8805/attachment.jpg>


More information about the clamav-users mailing list