| Question: |
Hello, checked the AI-Bolit space on the server.In folders by the number of sites (6 sites) did not. But in addition folders by sites on my web space there are other folders and files (Use cPanel). And there arose a number of issues.1. There is a folder \"tmp\" - why is it?2. Discovered podozreniya:/tmp/analog/victor-polikarpov.zakon63.ru/cache/tmp/analog/newpravo.pravo.help/cachetmp/analog/victor-polikarpov.pravo.help/saset are these files and can they be deleted without consequences? |
| Answer: |
the tmp folder the system folder for temporary files and statistics you cannot delete. if there is something found in the statistics files it docloc signature requests |
| Question: |
I mean not delete the folder itself, only 3 suspicious file. Now, attach the screenshot with the path, file name, and plot suspicious code:http://pravo.help/sites/default/files//55555.png |
| Answer: |
this statistic, there is no predinsone files, but there may be signatrue zaprosov which my antivirus detected as malicious code |
| Question: |
OK, then just leave and nothing to do? |
| Answer: |
Yes, stats should be updated |
| Question: |
Thank you, another question: in the main directory there is a folder \"mail\", there is also a lot of suspicion. I understand that this is a mail folder and any of the suspicious files there is a letter that I can without consequences to remove? As an example, the file mail/pravo.help/ceo/cur/1457617983.H754426P482085.duna.hostven11.EN,S=4678938_2,RS |
| Answer: |
in the mail folder contains the mail that you sletta. given You file one of the letters |
| Question: |
Okay, thank you, all of these suspicious files from mail will remove then. I myself work with Drupal, for example, if the directory website is a suspicious file, you can just compare it with the sample or replace with new site drupal.org (for example, the core files of the website, modules sometimes give trigger the antivirus). And what about the other files and folders in the main directory?I understand that the files and folders of spanel. Is where to read good information on that, what folders and files should be on the server? |
| Answer: |
system folders do not delete. |
| Question: |
You did not understand me, I`m not going to just to remove something) I want to know where to find information or guides on this very folder. For example, there are in the GL directory var folder wasn`t there before. My knowledge of Drupal will not help here. |
| Answer: |
var was always. there keep environment variables |
| Question: |
Then there was the following clarification:the Folder \".cagefs\", \"cagefs/tmp/hacked-cache-vpi/hackedProjectWebFilesDownloader/\"There are a lot of files of Drupal, the feeling that this is some kind of cache downloads. What is the directory cagefs/tmp/hacked-cache-vpi/hackedProjectWebFilesDownloader/? |
| Answer: |
this is the main folder that it is in any case can not touch cagefs t what is CageFS https://docs.cloudlinux.com/index.html?cagefs.html |
| Question: |
Doctor says what many suspect files (the whole list) specifically in the folder .cagefs/tmp/hacked-cache-vpi/hackedProjectWebFilesDownloader/What is this pack \"hackedProjectWebFilesDownloader\" ? There is a file Drupal and its modules as directories sites. Able to remove? |
| Answer: |
http://cgit.drupalcode.org/hacked/tree/includes/hackedProjectWebFilesDownloader.inc?id=794c51e40fc1fcc761e2c4c219f56c046debf166 |
| Question: |
I understand correctly, this hacked module for Drupal (https://www.drupal.org/project/hacked) creates this section? |
| Answer: |
Deflate the file to your local computer, and then delete from the server. |
| Question: |
Never got the answer to the question. Again.I understand that the hacked module for Drupal (https://www.drupal.org/project/hacked) creates the folder itself \"hackedProjectWebFilesDownloader\" at .cagefs/tmp/hacked-cache-vpi/hackedProjectWebFilesDownloader?Why then something to remove. |
| Answer: |
You have installed this module on my own? |
| Question: |
Yes, I`ve installed this module. It checks for changes on the website files Drupal (core, modules) compared to model (\"virgin\") files. If malicious code embedded in the file, the module will detect and display a list of changed files (though not always - there are nuances). As I understand it, this folder hackedProjectWebFilesDownloader\" at .cagefs/tmp/hacked-cache-vpi/hackedProjectWebFilesDownloader and stores uploaded with www.drupal.org samples. Right? |
| Answer: |
He collects them from your site? They see the path to the files where he got them? |
| Question: |
It is installed on the primary site pravo.help and estimates this website (directory \"public_html\") and subject to change core files, modules or even Drupal. Izmenennykh displays a list of files in this directory. Where he gets the samples - I don`t know, Above others, the consultant threw the link http://cgit.drupalcode.org/hacked/tree/includes/hackedProjectWebFilesDownloader.inc?id=794c51e40fc1fcc761e2c4c219f56c046debf166 From it actually I realized that the folder hackedProjectWebFilesDownloader just created data Mowlem and just there 3 folders for core, modules and themes with Drupal files. |
| Answer: |
it turns out |
| Question: |
Then, in principle, everything checked out. There are only 2 suspicions:1. File /php.ini file (without path, right in the main directory is located). A screenshot of the threat:http://pravo.help/sites/default/files//4445.rpdata, fine, I understand it is a configuration file and a false positive?2 File: .spamassassin/bayes_seenРЎРєСЂРёРЅ threats:http://pravo.help/sites/default/files//4444.rpda understand this configuration file anti-spam. What to do with it, leave? |
| Answer: |
they are system files, they are not a threat |
| Question: |
I understand that they need to be hosted, but they can also be changed. You looked at screenshots? Can they be embedded malicious code? |
| Answer: |
we reviewed the files. there`s no embedded code. and in a sense they have something to implement, either. the infection produces a bot and not a person. less than 1% of sites cracked manually. usually this protomet who is looking for a vulnerability and doing standard actions. actions can be directed to izmeneniye a site code, what would he do redirection to another website or razmeshenie files which are phishing pages and spam scripts. makes no sense to change anything in the files of statside to anything useful (spam, phishing), for a hacker, not responsible. |
| Question: |
Just in case. I had an infection about 2 years ago. No sign on websites, etc. I learned About it only when you told me about the huge spam from my mail (regular mailbox names and domains of my sites). Now I checked Doolittle, not only folder with sites and public_html, but my whole directory on the server. It is better to err. Apparently, everything`s OK now). |
| Question: |
Thank you! |
| Answer: |
you can always check in your billing panel or in the ticket |
| Question: |
https://hostrace.net/billing.php?do=aibolit Here?I check the website using the local Dr. Dolittle. And then what? |
| Answer: |
server version for partners. mykacheve updates directly |
| Question: |
Thank you, for the future I will keep in mind. |
| Question: |
And here previously reset Your consultant link http://cgit.drupalcode.org/hacked/tree/includes/hackedProjectWebFilesDownloader.inc?id=794c51e40fc1fcc761e2c4c219f56c046debf166Что means all the same? So with her till the end and did not understand |
| Answer: |
we know that Yon Oan means, we searched for the answer to your question on the folder and came across this drupal module |
| Question: |
Okay, thank you!!! |
| Answer: |
ok
|
