If the malware files keep returning, you better check your site permissions and extensions/modules on the site. Moving it to a different hosting company won’t fix it.
Terry
From: clamav-users <clamav-users-bounces@lists.clamav.net <mailto:clamav-users-bounces@lists.clamav.net> > On Behalf Of MOHAMED OMAR MAKRAM via clamav-users
Sent: Wednesday, March 27, 2019 12:26 PM
To: ClamAV users ML <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> >
Cc: MOHAMED OMAR MAKRAM <adamupaccounting@gmail.com <mailto:adamupaccounting@gmail.com> >
Subject: {Disarmed} Re: [clamav-users] Installing question
Thank you, Scott, but that is not the site I am worried about, and I don't have a problem currently because I am paying for virus protection and a firewall at $21 per month for each site.
I want to stop paying for a virus and a firewall for all my sites and move it out from GoDaddy and put it into Hostgator. I am done with GoDaddy. Right now you won't be able to see any issues because the virus-created files are quarantined. The minute I stop paying for the virus scan and firewall, even if I deleted those quarantined files, I will have them coming back again and again.
My sites are:
<
https://llink.to/?u=https:%2F%2Fwww.twelvestepjournaling.com%2F&e=465642cfc9f048e98cc85ab6a7990aa6> MailScanner has detected a possible fraud attempt from "llink.to" claiming to be
https://www.twelvestepjournaling.com/ <
https://llink.to/?u=https:%2F%2Fwww.intentionalbeings.com%2F&e=465642cfc9f048e98cc85ab6a7990aa6> MailScanner has detected a possible fraud attempt from "llink.to" claiming to be
https://www.intentionalbeings.com/ <
https://llink.to/?u=https:%2F%2Fwww.cocreationsmanager.com%2F&e=465642cfc9f048e98cc85ab6a7990aa6> MailScanner has detected a possible fraud attempt from "llink.to" claiming to be
https://www.cocreationsmanager.com/ <
https://pixel.salesfla.re/img/73d10c5ea4770e89b417f7082ecc684f>
On Wed, Mar 27, 2019 at 10:58 AM SCOTT PACKARD via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> > wrote:
There's almost nothing going on on your web site
http://tucson-az-cpa.com/. It should be an easy job to restore it from whatever offline source you have.
If all you're worried about is "visitors to your site they get a message that the site is unsecured", I think getting https:// going is what you're after.
Maybe go and read
https://letsencrypt.org/ .
Regards, Scott
From: clamav-users <clamav-users-bounces@lists.clamav.net <mailto:clamav-users-bounces@lists.clamav.net> > On Behalf Of MOHAMED OMAR MAKRAM via clamav-users
Sent: Wednesday, March 27, 2019 10:32 AM
To: ClamAV users ML <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> >
Cc: MOHAMED OMAR MAKRAM <adamupaccounting@gmail.com <mailto:adamupaccounting@gmail.com> >; J.R. <themadbeaker@gmail.com <mailto:themadbeaker@gmail.com> >
Subject: [External] Re: [clamav-users] Installing question
I've had this for few months. The only thing i was able to do is to pay for virus protection but it is so expensive.
Is there a way to find those hidden files? Do you think they are in the db or in the files?
I am moving out to another server right now. Is there a good process to do this without copying the virus along with the files?
Thanks for your help
On Wed, Mar 27, 2019 at 10:13 AM J.R. via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> > wrote:
> I do not know if the virus is on the server, in the files, or in the db.
> Here is what I know:
> Under each folder of each site, files appear with a name such as:
> f68z319m.php
> When visitors go to my websites, they get a message that the site is
> unsecured
>
> Does this information help identify the issue, or where to look for the
> virus?
Did you look at the contents of those files? Sounds like someone is
exploiting code to upload files which could then be used to do all
sorts of nasty things. That could be an issue with drupal or packages
on your system being out of date. Often that is just the first step
and once they upload one file they use it to upload a lot more in
hidden directories and modifying files and such...
I hope you have a recent backup...
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml --
Mohamed Omar Makram, CPA
Osiris CPA, PLLC <
http://tucson-az-cpa.com/>
Tele: (520) 906-1863
Fax: (520) 448-0706
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml --
Mohamed Omar Makram, CPA
Osiris CPA, PLLC <
http://tucson-az-cpa.com/>
Tele: (520) 906-1863
Fax: (520) 448-0706