Mailing List Archive

> I am new here and I don't know how to use drush or command line. Can I
> still install clamav? Is there an installation guide for absolute beginners
> like me?

What OS? Windows there is an exe that has a GUI. Linux distro's
typically have their own packages which you would install through your
OS's package manager.

There's lots of guides out there, just have to google...

> I have a virus on my server and I have no idea where to begin to get rid of
> it. I have four sites, all are personal sites and all are drupal.

If drupal got exploited, you are going to have bigger issues and
probably more than what ClamAV will find.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

* MOHAMED OMAR MAKRAM via clamav-users:

> I have a virus on my server and I have no idea where to begin to get
> rid of it. I have four sites, all are personal sites and all are
> drupal.

If you are really certain that there is a virus on your server, my
recommendation is to re-install that server from scratch. Of course, you
need to be careful when restoring data from your backups not to include
the virus.

-Ralph

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

I agree with What J.R. said regarding "bigger issues". ClamAV and other anti-malware tools may help you detect malware before it runs on your machine, but it is not sufficient to get rid of it if your system has already been compromised. It would be safest to rescue your data offline and reinstalling your operating system from scratch. Hopefully you have backups you can revert to, if a fresh reinstall isn't an option for you. This is personal advice, and I take no responsibility for any data loss you may incur. This mailing list is also not the best avenue for incident response advice.

For those wishing to use ClamAV, we do have step by step instructions to install ClamAV for a handful of operating systems using the materials we publish:

Windows - http://www.clamav.net/documents/installing-clamav-on-windows
Debian & Ubuntu - https://www.clamav.net/documents/installation-on-debian-and-ubuntu-linux-distributions
Redhat & CentOS - https://www.clamav.net/documents/installation-on-redhat-and-centos-linux-distributions
macOS - https://www.clamav.net/documents/installation-on-macos-mac-os-x

Regards,
Micah

?On 3/27/19, 9:37 AM, "clamav-users on behalf of J.R. via clamav-users" <clamav-users-bounces@lists.clamav.net on behalf of clamav-users@lists.clamav.net> wrote:

> I am new here and I don't know how to use drush or command line. Can I
> still install clamav? Is there an installation guide for absolute beginners
> like me?

What OS? Windows there is an exe that has a GUI. Linux distro's
typically have their own packages which you would install through your
OS's package manager.

There's lots of guides out there, just have to google...

> I have a virus on my server and I have no idea where to begin to get rid of
> it. I have four sites, all are personal sites and all are drupal.

If drupal got exploited, you are going to have bigger issues and
probably more than what ClamAV will find.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

I do not know if the virus is on the server, in the files, or in the db.
Here is what I know:
Under each folder of each site, files appear with a name such as:
f68z319m.php
When visitors go to my websites, they get a message that the site is
unsecured

Does this information help identify the issue, or where to look for the
virus?

Thank you. I am really desperate for help.

On Wed, Mar 27, 2019 at 8:47 AM Micah Snyder (micasnyd) via clamav-users <
clamav-users@lists.clamav.net> wrote:

> I agree with What J.R. said regarding "bigger issues". ClamAV and other
> anti-malware tools may help you detect malware before it runs on your
> machine, but it is not sufficient to get rid of it if your system has
> already been compromised. It would be safest to rescue your data offline
> and reinstalling your operating system from scratch. Hopefully you have
> backups you can revert to, if a fresh reinstall isn't an option for you.
> This is personal advice, and I take no responsibility for any data loss you
> may incur. This mailing list is also not the best avenue for incident
> response advice.
>
> For those wishing to use ClamAV, we do have step by step instructions to
> install ClamAV for a handful of operating systems using the materials we
> publish:
>
> Windows - http://www.clamav.net/documents/installing-clamav-on-windows
> <https://llink.to/?u=http:%2F%2Fwww.clamav.net%2Fdocuments%2Finstalling-clamav-on-windows&e=15d0a2184627e24f99c03314c699fb85>
> Debian & Ubuntu -
> https://www.clamav.net/documents/installation-on-debian-and-ubuntu-linux-distributions
> <https://llink.to/?u=https:%2F%2Fwww.clamav.net%2Fdocuments%2Finstallation-on-debian-and-ubuntu-linux-distributions&e=15d0a2184627e24f99c03314c699fb85>
> Redhat & CentOS -
> https://www.clamav.net/documents/installation-on-redhat-and-centos-linux-distributions
> <https://llink.to/?u=https:%2F%2Fwww.clamav.net%2Fdocuments%2Finstallation-on-redhat-and-centos-linux-distributions&e=15d0a2184627e24f99c03314c699fb85>
> macOS - https://www.clamav.net/documents/installation-on-macos-mac-os-x
> <https://llink.to/?u=https:%2F%2Fwww.clamav.net%2Fdocuments%2Finstallation-on-macos-mac-os-x&e=15d0a2184627e24f99c03314c699fb85>
>
> Regards,
> Micah
>
> ?On 3/27/19, 9:37 AM, "clamav-users on behalf of J.R. via clamav-users" <
> clamav-users-bounces@lists.clamav.net
> <https://llink.to/?u=mailto:clamav-users-bounces%40lists.clamav.net&e=15d0a2184627e24f99c03314c699fb85>
> on behalf of clamav-users@lists.clamav.net
> <https://llink.to/?u=mailto:clamav-users%40lists.clamav.net&e=15d0a2184627e24f99c03314c699fb85>>
> wrote:
>
> > I am new here and I don't know how to use drush or command line. Can
> I
> > still install clamav? Is there an installation guide for absolute
> beginners
> > like me?
>
> What OS? Windows there is an exe that has a GUI. Linux distro's
> typically have their own packages which you would install through your
> OS's package manager.
>
> There's lots of guides out there, just have to google...
>
> > I have a virus on my server and I have no idea where to begin to get
> rid of
> > it. I have four sites, all are personal sites and all are drupal.
>
> If drupal got exploited, you are going to have bigger issues and
> probably more than what ClamAV will find.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> <https://llink.to/?u=mailto:clamav-users%40lists.clamav.net&e=15d0a2184627e24f99c03314c699fb85>
> https://lists.clamav.net/mailman/listinfo/clamav-users
> <https://llink.to/?u=https:%2F%2Flists.clamav.net%2Fmailman%2Flistinfo%2Fclamav-users&e=15d0a2184627e24f99c03314c699fb85>
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> <https://llink.to/?u=https:%2F%2Fgithub.com%2Fvrtadmin%2Fclamav-faq&e=15d0a2184627e24f99c03314c699fb85>
>
> http://www.clamav.net/contact.html#ml
> <https://llink.to/?u=http:%2F%2Fwww.clamav.net%2Fcontact.html%23ml&e=15d0a2184627e24f99c03314c699fb85>
>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> <https://llink.to/?u=mailto:clamav-users%40lists.clamav.net&e=15d0a2184627e24f99c03314c699fb85>
> https://lists.clamav.net/mailman/listinfo/clamav-users
> <https://llink.to/?u=https:%2F%2Flists.clamav.net%2Fmailman%2Flistinfo%2Fclamav-users&e=15d0a2184627e24f99c03314c699fb85>
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> <https://llink.to/?u=https:%2F%2Fgithub.com%2Fvrtadmin%2Fclamav-faq&e=15d0a2184627e24f99c03314c699fb85>
>
> http://www.clamav.net/contact.html#ml
> <https://llink.to/?u=http:%2F%2Fwww.clamav.net%2Fcontact.html%23ml&e=15d0a2184627e24f99c03314c699fb85>
>

> I do not know if the virus is on the server, in the files, or in the db.
> Here is what I know:
> Under each folder of each site, files appear with a name such as:
> f68z319m.php
> When visitors go to my websites, they get a message that the site is
> unsecured
>
> Does this information help identify the issue, or where to look for the
> virus?

Did you look at the contents of those files? Sounds like someone is
exploiting code to upload files which could then be used to do all
sorts of nasty things. That could be an issue with drupal or packages
on your system being out of date. Often that is just the first step
and once they upload one file they use it to upload a lot more in
hidden directories and modifying files and such...

I hope you have a recent backup...

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

I've had this for few months. The only thing i was able to do is to pay for
virus protection but it is so expensive.
Is there a way to find those hidden files? Do you think they are in the
db or in the files?
I am moving out to another server right now. Is there a good process to do
this without copying the virus along with the files?

Thanks for your help

On Wed, Mar 27, 2019 at 10:13 AM J.R. via clamav-users <
clamav-users@lists.clamav.net> wrote:

> > I do not know if the virus is on the server, in the files, or in the db.
> > Here is what I know:
> > Under each folder of each site, files appear with a name such as:
> > f68z319m.php
> > When visitors go to my websites, they get a message that the site is
> > unsecured
> >
> > Does this information help identify the issue, or where to look for the
> > virus?
>
> Did you look at the contents of those files? Sounds like someone is
> exploiting code to upload files which could then be used to do all
> sorts of nasty things. That could be an issue with drupal or packages
> on your system being out of date. Often that is just the first step
> and once they upload one file they use it to upload a lot more in
> hidden directories and modifying files and such...
>
> I hope you have a recent backup...
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


--
*Mohamed Omar Makram, CPA*
*Osiris CPA, PLLC <http://tucson-az-cpa.com/>Tele: (520) 906-1863*
*Fax: (520) 448-0706*

There's almost nothing going on on your web site http://tucson-az-cpa.com/. It should be an easy job to restore it from whatever offline source you have.
If all you're worried about is "visitors to your site they get a message that the site is unsecured", I think getting https:// going is what you're after.
Maybe go and read https://letsencrypt.org/ .

Regards, Scott

From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of MOHAMED OMAR MAKRAM via clamav-users
Sent: Wednesday, March 27, 2019 10:32 AM
To: ClamAV users ML <clamav-users@lists.clamav.net>
Cc: MOHAMED OMAR MAKRAM <adamupaccounting@gmail.com>; J.R. <themadbeaker@gmail.com>
Subject: [External] Re: [clamav-users] Installing question

I've had this for few months. The only thing i was able to do is to pay for virus protection but it is so expensive.
Is there a way to find those hidden files? Do you think they are in the db or in the files?
I am moving out to another server right now. Is there a good process to do this without copying the virus along with the files?

Thanks for your help
[Image removed by sender.]

On Wed, Mar 27, 2019 at 10:13 AM J.R. via clamav-users <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote:
> I do not know if the virus is on the server, in the files, or in the db.
> Here is what I know:
> Under each folder of each site, files appear with a name such as:
> f68z319m.php
> When visitors go to my websites, they get a message that the site is
> unsecured
>
> Does this information help identify the issue, or where to look for the
> virus?

Did you look at the contents of those files? Sounds like someone is
exploiting code to upload files which could then be used to do all
sorts of nasty things. That could be an issue with drupal or packages
on your system being out of date. Often that is just the first step
and once they upload one file they use it to upload a lot more in
hidden directories and modifying files and such...

I hope you have a recent backup...

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


--
Mohamed Omar Makram, CPA
Osiris CPA, PLLC<http://tucson-az-cpa.com/>
Tele: (520) 906-1863
Fax: (520) 448-0706

Thank you, Scott, but that is not the site I am worried about, and I don't
have a problem currently because I am paying for virus protection and a
firewall at $21 per month for each site.
I want to stop paying for a virus and a firewall for all my sites and move
it out from GoDaddy and put it into Hostgator. I am done with GoDaddy.
Right now you won't be able to see any issues because the virus-created
files are quarantined. The minute I stop paying for the virus scan and
firewall, even if I deleted those quarantined files, I will have them
coming back again and again.


My sites are:
https://www.twelvestepjournaling.com/
<https://llink.to/?u=https:%2F%2Fwww.twelvestepjournaling.com%2F&e=465642cfc9f048e98cc85ab6a7990aa6>

https://www.intentionalbeings.com/
<https://llink.to/?u=https:%2F%2Fwww.intentionalbeings.com%2F&e=465642cfc9f048e98cc85ab6a7990aa6>

https://www.cocreationsmanager.com/
<https://llink.to/?u=https:%2F%2Fwww.cocreationsmanager.com%2F&e=465642cfc9f048e98cc85ab6a7990aa6>


On Wed, Mar 27, 2019 at 10:58 AM SCOTT PACKARD via clamav-users <
clamav-users@lists.clamav.net> wrote:

> There's almost nothing going on on your web site http://tucson-az-cpa.com/.
> It should be an easy job to restore it from whatever offline source you
> have.
>
> If all you're worried about is "visitors to your site they get a message
> that the site is unsecured", I think getting https:// going is what
> you're after.
>
> Maybe go and read https://letsencrypt.org/ .
>
>
>
> Regards, Scott
>
>
>
> *From:* clamav-users <clamav-users-bounces@lists.clamav.net> *On Behalf
> Of *MOHAMED OMAR MAKRAM via clamav-users
> *Sent:* Wednesday, March 27, 2019 10:32 AM
> *To:* ClamAV users ML <clamav-users@lists.clamav.net>
> *Cc:* MOHAMED OMAR MAKRAM <adamupaccounting@gmail.com>; J.R. <
> themadbeaker@gmail.com>
> *Subject:* [External] Re: [clamav-users] Installing question
>
>
>
> I've had this for few months. The only thing i was able to do is to pay
> for virus protection but it is so expensive.
>
> Is there a way to find those hidden files? Do you think they are in the
> db or in the files?
>
> I am moving out to another server right now. Is there a good process to do
> this without copying the virus along with the files?
>
>
>
> Thanks for your help
>
> [image: Image removed by sender.]
>
>
>
> On Wed, Mar 27, 2019 at 10:13 AM J.R. via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
> > I do not know if the virus is on the server, in the files, or in the db.
> > Here is what I know:
> > Under each folder of each site, files appear with a name such as:
> > f68z319m.php
> > When visitors go to my websites, they get a message that the site is
> > unsecured
> >
> > Does this information help identify the issue, or where to look for the
> > virus?
>
> Did you look at the contents of those files? Sounds like someone is
> exploiting code to upload files which could then be used to do all
> sorts of nasty things. That could be an issue with drupal or packages
> on your system being out of date. Often that is just the first step
> and once they upload one file they use it to upload a lot more in
> hidden directories and modifying files and such...
>
> I hope you have a recent backup...
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>
>
>
> --
>
> *Mohamed Omar Makram, CPA*
>
> *Osiris CPA, PLLC <http://tucson-az-cpa.com/>*
>
> *Tele: (520) 906-1863*
>
> *Fax: (520) 448-0706*
>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


--
*Mohamed Omar Makram, CPA*
*Osiris CPA, PLLC <http://tucson-az-cpa.com/>Tele: (520) 906-1863*
*Fax: (520) 448-0706*

If the malware files keep returning, you better check your site permissions and extensions/modules on the site. Moving it to a different hosting company won’t fix it.

Terry



From: clamav-users <clamav-users-bounces@lists.clamav.net <mailto:clamav-users-bounces@lists.clamav.net> > On Behalf Of MOHAMED OMAR MAKRAM via clamav-users
Sent: Wednesday, March 27, 2019 12:26 PM
To: ClamAV users ML <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> >
Cc: MOHAMED OMAR MAKRAM <adamupaccounting@gmail.com <mailto:adamupaccounting@gmail.com> >
Subject: {Disarmed} Re: [clamav-users] Installing question



Thank you, Scott, but that is not the site I am worried about, and I don't have a problem currently because I am paying for virus protection and a firewall at $21 per month for each site.

I want to stop paying for a virus and a firewall for all my sites and move it out from GoDaddy and put it into Hostgator. I am done with GoDaddy. Right now you won't be able to see any issues because the virus-created files are quarantined. The minute I stop paying for the virus scan and firewall, even if I deleted those quarantined files, I will have them coming back again and again.





My sites are:

<https://llink.to/?u=https:%2F%2Fwww.twelvestepjournaling.com%2F&e=465642cfc9f048e98cc85ab6a7990aa6> MailScanner has detected a possible fraud attempt from "llink.to" claiming to be https://www.twelvestepjournaling.com/

<https://llink.to/?u=https:%2F%2Fwww.intentionalbeings.com%2F&e=465642cfc9f048e98cc85ab6a7990aa6> MailScanner has detected a possible fraud attempt from "llink.to" claiming to be https://www.intentionalbeings.com/

<https://llink.to/?u=https:%2F%2Fwww.cocreationsmanager.com%2F&e=465642cfc9f048e98cc85ab6a7990aa6> MailScanner has detected a possible fraud attempt from "llink.to" claiming to be https://www.cocreationsmanager.com/

<https://pixel.salesfla.re/img/73d10c5ea4770e89b417f7082ecc684f>



On Wed, Mar 27, 2019 at 10:58 AM SCOTT PACKARD via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> > wrote:

There's almost nothing going on on your web site http://tucson-az-cpa.com/. It should be an easy job to restore it from whatever offline source you have.

If all you're worried about is "visitors to your site they get a message that the site is unsecured", I think getting https:// going is what you're after.

Maybe go and read https://letsencrypt.org/ .



Regards, Scott



From: clamav-users <clamav-users-bounces@lists.clamav.net <mailto:clamav-users-bounces@lists.clamav.net> > On Behalf Of MOHAMED OMAR MAKRAM via clamav-users
Sent: Wednesday, March 27, 2019 10:32 AM
To: ClamAV users ML <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> >
Cc: MOHAMED OMAR MAKRAM <adamupaccounting@gmail.com <mailto:adamupaccounting@gmail.com> >; J.R. <themadbeaker@gmail.com <mailto:themadbeaker@gmail.com> >
Subject: [External] Re: [clamav-users] Installing question



I've had this for few months. The only thing i was able to do is to pay for virus protection but it is so expensive.

Is there a way to find those hidden files? Do you think they are in the db or in the files?

I am moving out to another server right now. Is there a good process to do this without copying the virus along with the files?



Thanks for your help





On Wed, Mar 27, 2019 at 10:13 AM J.R. via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> > wrote:

> I do not know if the virus is on the server, in the files, or in the db.
> Here is what I know:
> Under each folder of each site, files appear with a name such as:
> f68z319m.php
> When visitors go to my websites, they get a message that the site is
> unsecured
>
> Does this information help identify the issue, or where to look for the
> virus?

Did you look at the contents of those files? Sounds like someone is
exploiting code to upload files which could then be used to do all
sorts of nasty things. That could be an issue with drupal or packages
on your system being out of date. Often that is just the first step
and once they upload one file they use it to upload a lot more in
hidden directories and modifying files and such...

I hope you have a recent backup...

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml






--

Mohamed Omar Makram, CPA

Osiris CPA, PLLC <http://tucson-az-cpa.com/>

Tele: (520) 906-1863

Fax: (520) 448-0706




_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml






--

Mohamed Omar Makram, CPA

Osiris CPA, PLLC <http://tucson-az-cpa.com/>

Tele: (520) 906-1863

Fax: (520) 448-0706

Thank you, Terry,
Can you help me narrow down how to learn or follow your advice of checking
the site permissions and extensions/modules? I am using Drupal 7.
Do you know of a step-by-step guide to doing that for a newbie like myself?







On Wed, Mar 27, 2019 at 1:54 PM <lists@khtech.ca> wrote:

> If the malware files keep returning, you better check your site
> permissions and extensions/modules on the site. Moving it to a different
> hosting company won’t fix it.
>
> Terry
>
>
>
> *From:* clamav-users <clamav-users-bounces@lists.clamav.net> *On Behalf
> Of *MOHAMED OMAR MAKRAM via clamav-users
> *Sent:* Wednesday, March 27, 2019 12:26 PM
> *To:* ClamAV users ML <clamav-users@lists.clamav.net>
> *Cc:* MOHAMED OMAR MAKRAM <adamupaccounting@gmail.com>
> *Subject:* {Disarmed} Re: [clamav-users] Installing question
>
>
>
> Thank you, Scott, but that is not the site I am worried about, and I don't
> have a problem currently because I am paying for virus protection and a
> firewall at $21 per month for each site.
>
> I want to stop paying for a virus and a firewall for all my sites and move
> it out from GoDaddy and put it into Hostgator. I am done with GoDaddy.
> Right now you won't be able to see any issues because the virus-created
> files are quarantined. The minute I stop paying for the virus scan and
> firewall, even if I deleted those quarantined files, I will have them
> coming back again and again.
>
>
>
>
>
> My sites are:
>
> *MailScanner has detected a possible fraud attempt from "llink.to"
> claiming to be* https://www.twelvestepjournaling.com/
> <https://llink.to/?u=https:%2F%2Fwww.twelvestepjournaling.com%2F&e=465642cfc9f048e98cc85ab6a7990aa6>
>
>
> *MailScanner has detected a possible fraud attempt from "llink.to"
> claiming to be* https://www.intentionalbeings.com/
> <https://llink.to/?u=https:%2F%2Fwww.intentionalbeings.com%2F&e=465642cfc9f048e98cc85ab6a7990aa6>
>
>
> *MailScanner has detected a possible fraud attempt from "llink.to"
> claiming to be* https://www.cocreationsmanager.com/
> <https://llink.to/?u=https:%2F%2Fwww.cocreationsmanager.com%2F&e=465642cfc9f048e98cc85ab6a7990aa6>
>
>
>
>
> On Wed, Mar 27, 2019 at 10:58 AM SCOTT PACKARD via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
> There's almost nothing going on on your web site http://tucson-az-cpa.com/.
> It should be an easy job to restore it from whatever offline source you
> have.
>
> If all you're worried about is "visitors to your site they get a message
> that the site is unsecured", I think getting https:// going is what
> you're after.
>
> Maybe go and read https://letsencrypt.org/ .
>
>
>
> Regards, Scott
>
>
>
> *From:* clamav-users <clamav-users-bounces@lists.clamav.net> *On Behalf
> Of *MOHAMED OMAR MAKRAM via clamav-users
> *Sent:* Wednesday, March 27, 2019 10:32 AM
> *To:* ClamAV users ML <clamav-users@lists.clamav.net>
> *Cc:* MOHAMED OMAR MAKRAM <adamupaccounting@gmail.com>; J.R. <
> themadbeaker@gmail.com>
> *Subject:* [External] Re: [clamav-users] Installing question
>
>
>
> I've had this for few months. The only thing i was able to do is to pay
> for virus protection but it is so expensive.
>
> Is there a way to find those hidden files? Do you think they are in the
> db or in the files?
>
> I am moving out to another server right now. Is there a good process to do
> this without copying the virus along with the files?
>
>
>
> Thanks for your help
>
> [image: Image removed by sender.]
>
>
>
> On Wed, Mar 27, 2019 at 10:13 AM J.R. via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
> > I do not know if the virus is on the server, in the files, or in the db.
> > Here is what I know:
> > Under each folder of each site, files appear with a name such as:
> > f68z319m.php
> > When visitors go to my websites, they get a message that the site is
> > unsecured
> >
> > Does this information help identify the issue, or where to look for the
> > virus?
>
> Did you look at the contents of those files? Sounds like someone is
> exploiting code to upload files which could then be used to do all
> sorts of nasty things. That could be an issue with drupal or packages
> on your system being out of date. Often that is just the first step
> and once they upload one file they use it to upload a lot more in
> hidden directories and modifying files and such...
>
> I hope you have a recent backup...
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>
>
>
> --
>
> *Mohamed Omar Makram, CPA*
>
> *Osiris CPA, PLLC <http://tucson-az-cpa.com/>*
>
> *Tele: (520) 906-1863*
>
> *Fax: (520) 448-0706*
>
>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>
>
>
> --
>
> *Mohamed Omar Makram, CPA*
>
> *Osiris CPA, PLLC <http://tucson-az-cpa.com/>*
>
> *Tele: (520) 906-1863*
>
> *Fax: (520) 448-0706*
>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


--
*Mohamed Omar Makram, CPA*
*Osiris CPA, PLLC <http://tucson-az-cpa.com/>Tele: (520) 906-1863*
*Fax: (520) 448-0706*

Hello,

On Thu, 28 Mar 2019, MOHAMED OMAR MAKRAM wrote:

> I've had this for few months. The only thing i was able to do is to
> pay for virus protection but it is so expensive. Is there a way to
> find those hidden files? Do you think they are in the db or in the
> files? I am moving out to another server right now. Is there a good
> process to do this without copying the virus along with the files?

Firstly, you have already been told that this is not the right mailing
list for your questions. Many such lists and similar resources exist.
Search for them.

Secondly, even if you were to install ClamAV, with your current level
of skill you would not be able to use it to solve your problems. In
my view, ClamAV is not now and never will be capable of solving them
because that is not why it was developed. As far as I can tell its
main attraction for you is that it is free, and that people on this
mailing list support it for free. It would be far better for you to
find out what your problem is before you try to implement a solution.
If you must pay for it, then you need to do a cost-benefit analysis.

Thirdly, if you are making Websites available on the public Internet
and those Websites are not properly secured, and indeed have already
been compromised, then you represent a danger, not only to the people
who visit those sites, but also to *any* Internet-connected equipment.
That is both irresponsible and reprehensible. The fact that you have
ignored advice that your questions are inappropriate for this mailing
list probably tells us how much you have thought about that, or care.

My advice is to stop what you are doing until either you can find
someone competent to do it safely for you, or you become sufficiently
competent to do it safely yourself.

There is no quick HOWTO for the impatient. Please do not willfully
add to the problems that the rest of us have to face daily.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

G.W.,
Sorry for adding to your daily problems. I didn't know this isn't the place
to get the help I need, and I don't have issues in my sites as long as I am
still paying for the high-priced firewall and virus scan.
I am not impatient. I couldn't find a solution nor a place to find an
answer yet. I am here attempting to find that solution or to find the place
where I can search for it. There is no good support that I know on
drupal.org
<https://llink.to/?u=http:%2F%2Fdrupal.org%2F&e=ccf5c5d7d11db00dae009cbc656138f9>,
nor for Drupal period. I can post a question and wait months before someone
could see it.

Do you project your life's problems on others all the time? You could've
just said that this isn't the place to get help for that issue or you can
just say where can I find the help I need (besides google it). I am not
here disrespecting others. I am looking for help. If it isn't the place for
it, I will gladly leave but some people did give me some helpful feedback.



On Thu, Mar 28, 2019 at 10:04 AM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hello,
>
> On Thu, 28 Mar 2019, MOHAMED OMAR MAKRAM wrote:
>
> > I've had this for few months. The only thing i was able to do is to
> > pay for virus protection but it is so expensive. Is there a way to
> > find those hidden files? Do you think they are in the db or in the
> > files? I am moving out to another server right now. Is there a good
> > process to do this without copying the virus along with the files?
>
> Firstly, you have already been told that this is not the right mailing
> list for your questions. Many such lists and similar resources exist.
> Search for them.
>
> Secondly, even if you were to install ClamAV, with your current level
> of skill you would not be able to use it to solve your problems. In
> my view, ClamAV is not now and never will be capable of solving them
> because that is not why it was developed. As far as I can tell its
> main attraction for you is that it is free, and that people on this
> mailing list support it for free. It would be far better for you to
> find out what your problem is before you try to implement a solution.
> If you must pay for it, then you need to do a cost-benefit analysis.
>
> Thirdly, if you are making Websites available on the public Internet
> and those Websites are not properly secured, and indeed have already
> been compromised, then you represent a danger, not only to the people
> who visit those sites, but also to *any* Internet-connected equipment.
> That is both irresponsible and reprehensible. The fact that you have
> ignored advice that your questions are inappropriate for this mailing
> list probably tells us how much you have thought about that, or care.
>
> My advice is to stop what you are doing until either you can find
> someone competent to do it safely for you, or you become sufficiently
> competent to do it safely yourself.
>
> There is no quick HOWTO for the impatient. Please do not willfully
> add to the problems that the rest of us have to face daily.
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> <https://llink.to/?u=mailto:clamav-users%40lists.clamav.net&e=ccf5c5d7d11db00dae009cbc656138f9>
> https://lists.clamav.net/mailman/listinfo/clamav-users
> <https://llink.to/?u=https:%2F%2Flists.clamav.net%2Fmailman%2Flistinfo%2Fclamav-users&e=ccf5c5d7d11db00dae009cbc656138f9>
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> <https://llink.to/?u=https:%2F%2Fgithub.com%2Fvrtadmin%2Fclamav-faq&e=ccf5c5d7d11db00dae009cbc656138f9>
>
> http://www.clamav.net/contact.html#ml
> <https://llink.to/?u=http:%2F%2Fwww.clamav.net%2Fcontact.html%23ml&e=ccf5c5d7d11db00dae009cbc656138f9>
>