One of our client server’s was affected by virus and he can’t control it. And he is aks me to look into the issues. I have verified on server and found that one account got affected severely and run the below steps to remove it.
Note : If you installed the clamav from WHM Plugin, your clamav installation location is follow. If you installed manually find the exact path and use it according that.
1) How to run clamscan to particular user account in cpanel server ?
Use the below method to run the clamscan to particular user account. Change your username according that. I’m going to run the scan to iconbuil account because i have found that few infected files this account. You will be got the output smiler like below. After completing the scan
# /usr/local/cpanel/3rdparty/bin/clamscan -ri /home/iconbuil/public_html LibClamAV Warning: ************************************************** LibClamAV Warning: *** The virus database is older than 7 days! *** LibClamAV Warning: *** Please update it as soon as possible. *** LibClamAV Warning: ************************************************** LibClamAV Warning: Detected duplicate databases /usr/local/cpanel/3rdparty/share/clamav/main.cvd and /usr/local/cpanel/3rdparty/share/clamav/main.cld. The /usr/local/cpanel/3rdparty/share/clamav/main.cvd database is older and will not be loaded, you should manually remove it from the database directory. /home/iconbuil/public_html/wp-content/plugins/tinymce-advanced/css/index2CDEN.php: PHP.Trojan.Spambot FOUND /home/iconbuil/public_html/wp-content/themes/twentyeleven/images/infocf5D.php: PHP.Trojan.Spambot FOUND ----------- SCAN SUMMARY ----------- Known viruses: 3914119 Engine version: 0.98.1 Scanned directories: 257 Scanned files: 2066 Infected files: 2 Data scanned: 61.04 MB Data read: 43.68 MB (ratio 1.40:1) Time: 17.003 sec (0 m 17 s)
Verify the infected files and remove it.
The major common options for clamav command.
-r: To check files Recursively.
-i: To show only Infected files.
2) How to run clamscan to all account in cpanel server ?
Use the below method to run the clamscan to all user account. I’m going to run the scan to all user account on server. You will be got the output smiler like below. After completing the scan
# /usr/local/cpanel/3rdparty/bin/clamscan -ri /home LibClamAV Warning: ************************************************** LibClamAV Warning: *** The virus database is older than 7 days! *** LibClamAV Warning: *** Please update it as soon as possible. *** LibClamAV Warning: ************************************************** LibClamAV Warning: SWF: Invalid tag length. LibClamAV Warning: SWF: Invalid tag length. LibClamAV Warning: SWF: Invalid tag length. LibClamAV Warning: SWF: Invalid tag length. LibClamAV Warning: SWF: Invalid tag length. LibClamAV Warning: SWF: Invalid tag length. LibClamAV Warning: SWF: Invalid tag length. LibClamAV Warning: SWF: Invalid tag length. /home/wwwrival/mail/rivalcloth.com/rajkumar/cur/1369241351.H225665P9618.pulzar.websitedns.in,S=13655:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND /home/forefor/mail/new/1361984937.H541722P30696.iaaxin.in,S=9982: Heuristics.Phishing.Email.SpoofedDomain FOUND /home/forefor/mail/new/1369690920.H24514P2643.pulzar.websitedns.in,S=9844: Heuristics.Phishing.Email.SpoofedDomain FOUND /home/forefor/mail/new/1362076650.H603724P3839.iaaxin.in,S=9944: Heuristics.Phishing.Email.SpoofedDomain FOUND LibClamAV Warning: SWF: Invalid tag length. ----------- SCAN SUMMARY ----------- Known viruses: 3914119 Engine version: 0.98.1 Scanned directories: 70469 Scanned files: 1688827 Infected files: 32 Data scanned: 23658.66 MB Data read: 44894.86 MB (ratio 0.53:1) Time: 7090.407 sec (118 m 10 s)
Verify the infected files and remove it.
3) How to run clamscan to public_html directory for all account in cpanel server ?
Use the below method to run the clamscan to public_html directory for all account in cpanel server
# /usr/local/cpanel/3rdparty/bin/clamscan -ri /home/*/public_html
4) How to remove infected file while scanning itself ?
Use the below method to run the clamscan to remove infected file while scanning itself.
# /usr/local/cpanel/3rdparty/bin/clamscan -ri --remove /home/*/public_html
