• Welcome to the Chevereto user community!

    Here users from all over the world gather around to learn the latest about Chevereto and contribute with ideas to improve the software.

    Please keep in mind:

    • 😌 This community is user driven. Be polite with other users.
    • 👉 Is required to purchase a Chevereto license to participate in this community (doesn't apply to Pre-sales).
    • 💸 Purchase a Pro Subscription to get access to active software support and faster ticket response times.

Malware got in my server through Chevereto

Status
Not open for further replies.
P

Papay

Chevereto Member
I installed Chevereto v2.5.9 on my server last month. Few days ago my provider sent me an abuse ticket saying that I have a Malware on my server. There's a resuzx.php file hiding on my server. I searched for it on my server and found both inside /home/kloxo/httpd/default/resuzx.php and /home/administrator/chevereto/cgi-bin/resuzx.php

I immediately deleted both files. At first I thought it was my Wordpress, I spent hours trying to check for malicious code, I even reinstalled fresh wordpress files, themes, plugins.

I haven't done any modifications on the Chevereto v2.5.9 script, just the basic setup and changed logo. Any idea how the malware got in there? Should I upgrade to v3 now? Thanks
 
We don't use the cgi-bin folder and Chevereto don't touch any folder above its root path. This is most likely a server issue instead a script issue. You have to understand that any script is over the server so if the server has any bug or insecurity that ends up with things like this. Most likely you have a bad server setup or public folder setup and that will always be a way to put malicious files into. If you like you can send me the resuzx.php files to inbox@chevereto.com and I will check what it does or how they place it in your server.
 
Thanks for the info Rodolfo, I panicked and deleted it using Putty. Is there like a recycle bin in CentOS? I'm not really familiar with linux. Next time I'll make sure I'll get a copy of the malware for further checking. I will inform my provider now that it's their server and not your script. Thanks for the clarification Rodolfo.
 
A deep investigation is needed to know exactly the reason of this and confirm or not if Chevereto was involved. Log files should be there in your hosting, things like logins, incoming transfers and so on. That should be work of your server administrator. If it happens again don't panic and don't delete the files, just send it to me and perhaps a comment or something can lead us to the source of that.
 
Status
Not open for further replies.
Back
Top