The virus alert message to start the day.

Malware Found Warning Sign
Checking your log files

In August 2020, ImunifyAV reported that it found malware in a file on my website. Troubleshooting a virus alert from ImunifyAV became that day’s task. These are the steps I took to correct the problem.

I found this because, on a regular basis I check my system logs for possible problems. Today, I found a spotted a potential problem and investigated it.

The software versions involved.

The following are the impacted software packages and versions I am running in my environment.

ImunifyAV Logo
ImunifyAV is the Anti-Virus scanner I use on our server
  • imunifyAV 4.9.6-8
  • cPanel 88.0.13
  • Analog 6.0

Where to find the logs and what it reported

To find the imunifyAV dashboard within cPanel, go to HOME >> Plugins >> ImunifyAV

Under the user tab ImunifyAV reports one threat and provides the account associated with the threat.

Under the Files Tab it lists the infected file. In this case it reports the following information.

Scan Date: August 10, 2020 5:49 PM
Username: $user
File: /home/$user/tmp/analog/cache
Reason: SMW-INJ-04278-php.bkdr-7
Status: Infected

Decoding the imunifyAV Reason code and Info on the class of malware

To decode the imunifyAV reason codes, see imunifyAV Documentation. The following is this malware alert decoded.

SMW - Server Malware
INJ - Injection
04278 is the ID number of the signature
php.bkdr is the category and class of the malware
7 is the version number of signature
Backdoor in code
PHP Backdoor Code in the logs

The virus flagged is a PHP Backdoor. If you are concerned you already have a PHP or WordPress backdoor, check out this Article on WPSec.

The flagged file and it’s use

The directory /home/$user/tmp/analog is storage for Analog statistics files are housed. And the cache file is where Analog statistics stores all of it’s data.

If you look at the header to the file you will see the following

CACHE type 5 produced by analog 6.0/Unix. Do not modify or delete!

This cache file can grow very large – For a discussion on deleting the file on cpanel forums see this post. http://forums.cpanel.net/f5/analog-stat … 12066.html

If you delete the file, analog will just recreate it. You will lose all the statistics gathered up until the time you delete it, but afterwards analog will continue to collect statistics and save them to that file.

Web Log Analyzers on cPanel

cPanel provides three different web log analysis programs: Awstats, Analog Stats and Webalizer. Analog does not have the support as the others have, with the last major update in December 2004. See Wikipedia: Analog (program) for more details.

The Analog Stats application

The analog configuration on a cPanel host can be found here.

/usr/local/cpanel/3rdparty/bin/analog.cfg

For documentation for Analog – check out Analog GSP Readme.

If you don’t plan to use Analog, you can disable caching using the following command in analog.cfg

CACHEOUTFILE none

This will disable it for all users on the host, so this must be done by the host admin.

Reading the analog cache file

To further research this I looked into the contents of the cache file, to see what triggered the virus alert message. The following is a rough translation of the various record types within the cache file. Of concern is record type 1. And the information passed to the web server on the URL.

  • T
  • D Date range
  • 1. File requested; field 14 is the file requested
  • 2. Not used
  • 3. Referer url
  • 4. Browser info
  • 5. Ip Address
  • z appears to be date info
  • c server response code 200,301, 302, 404, etc

For a list of all of the URL’s, use this command. A review of the cache.out shows that a potential virus payload was included in the URL sent to the server.

grep -v 184 cache|grep "^1" |cut -f13|sort -n >cache.out

Corrective Action Taken

In the end I felt comfortable that is was a non-threat. I cleared out the file using the following command. It will still produce reports, but only using the current logs and not any cached data. Overtime, it will rebuild the logs with new data.

>cache

Conclusion

At the end of the day, Troubleshooting a virus alert from ImunifyAV turned out to be quick task.

A hacker had entered backdoor code in a url, it failed, but the attempt was recorded in the log stats. If it occurs again, I will just disable Analog Stats and rely upon Webalizer or AwStats.

Future Work

My next task is to review the three Web Analyzers installed on the host and decide if I even need to keep Analog Stats.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.