If the malware files keep returning, you better check your site permissions and extensions/modules on the site. Moving it to a different hosting company won’t fix it.
Terry From: clamav-users <clamav-users-boun...@lists.clamav.net <mailto:clamav-users-boun...@lists.clamav.net> > On Behalf Of MOHAMED OMAR MAKRAM via clamav-users Sent: Wednesday, March 27, 2019 12:26 PM To: ClamAV users ML <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> > Cc: MOHAMED OMAR MAKRAM <adamupaccount...@gmail.com <mailto:adamupaccount...@gmail.com> > Subject: {Disarmed} Re: [clamav-users] Installing question Thank you, Scott, but that is not the site I am worried about, and I don't have a problem currently because I am paying for virus protection and a firewall at $21 per month for each site. I want to stop paying for a virus and a firewall for all my sites and move it out from GoDaddy and put it into Hostgator. I am done with GoDaddy. Right now you won't be able to see any issues because the virus-created files are quarantined. The minute I stop paying for the virus scan and firewall, even if I deleted those quarantined files, I will have them coming back again and again. My sites are: <https://llink.to/?u=https:%2F%2Fwww.twelvestepjournaling.com%2F&e=465642cfc9f048e98cc85ab6a7990aa6> MailScanner has detected a possible fraud attempt from "llink.to" claiming to be https://www.twelvestepjournaling.com/ <https://llink.to/?u=https:%2F%2Fwww.intentionalbeings.com%2F&e=465642cfc9f048e98cc85ab6a7990aa6> MailScanner has detected a possible fraud attempt from "llink.to" claiming to be https://www.intentionalbeings.com/ <https://llink.to/?u=https:%2F%2Fwww.cocreationsmanager.com%2F&e=465642cfc9f048e98cc85ab6a7990aa6> MailScanner has detected a possible fraud attempt from "llink.to" claiming to be https://www.cocreationsmanager.com/ <https://pixel.salesfla.re/img/73d10c5ea4770e89b417f7082ecc684f> On Wed, Mar 27, 2019 at 10:58 AM SCOTT PACKARD via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> > wrote: There's almost nothing going on on your web site http://tucson-az-cpa.com/. It should be an easy job to restore it from whatever offline source you have. If all you're worried about is "visitors to your site they get a message that the site is unsecured", I think getting https:// going is what you're after. Maybe go and read https://letsencrypt.org/ . Regards, Scott From: clamav-users <clamav-users-boun...@lists.clamav.net <mailto:clamav-users-boun...@lists.clamav.net> > On Behalf Of MOHAMED OMAR MAKRAM via clamav-users Sent: Wednesday, March 27, 2019 10:32 AM To: ClamAV users ML <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> > Cc: MOHAMED OMAR MAKRAM <adamupaccount...@gmail.com <mailto:adamupaccount...@gmail.com> >; J.R. <themadbea...@gmail.com <mailto:themadbea...@gmail.com> > Subject: [External] Re: [clamav-users] Installing question I've had this for few months. The only thing i was able to do is to pay for virus protection but it is so expensive. Is there a way to find those hidden files? Do you think they are in the db or in the files? I am moving out to another server right now. Is there a good process to do this without copying the virus along with the files? Thanks for your help On Wed, Mar 27, 2019 at 10:13 AM J.R. via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> > wrote: > I do not know if the virus is on the server, in the files, or in the db. > Here is what I know: > Under each folder of each site, files appear with a name such as: > f68z319m.php > When visitors go to my websites, they get a message that the site is > unsecured > > Does this information help identify the issue, or where to look for the > virus? Did you look at the contents of those files? Sounds like someone is exploiting code to upload files which could then be used to do all sorts of nasty things. That could be an issue with drupal or packages on your system being out of date. Often that is just the first step and once they upload one file they use it to upload a lot more in hidden directories and modifying files and such... I hope you have a recent backup... _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Mohamed Omar Makram, CPA Osiris CPA, PLLC <http://tucson-az-cpa.com/> Tele: (520) 906-1863 Fax: (520) 448-0706 _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Mohamed Omar Makram, CPA Osiris CPA, PLLC <http://tucson-az-cpa.com/> Tele: (520) 906-1863 Fax: (520) 448-0706
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
