What to do if Maldet reports a hit (Malware) on your Linux server

Assuming you have configured Maldet to send you notifications of Malware hits then once you receive an email warning you will want to know what Maldet has found. Usually, hits on suspected Malware will be moved to the quarantine folder or if you have automatic cleaning enabled Maldet will try to clean the file first. For this guide, we’re going to use a production server which is used by some of our reseller web hosts.

Maldet has warned us it’s found suspected Malware in a users directory

Maldet Scan Report

So from this report we know the server which the Malware was found on (for security we have removed this) the scan ID and some other useful information. We can see this is likely to be WordPress site because the file was located in a folder called wp-content and it was moved to the quarantine folder /usr/local/maldetect/quarantine/db95.php.127046672.

Linux VPS Server

First things first

Just that fact that Maldet has found a hit is reason enough to suspend the account, either the user has uploaded this file or the account is compromised and a malicious user has access to it. As a rule of thumb, we’re going to suspend this account straight away. Next, we want to know what the file is and what it was doing on our server.

File Hit List

The file hit list states the file in question is an  {HEX}php.base64.v23au.185  and we don’t even need to ask Google what that is because we see many of these. {HEX}php.base64.v23au.185 is a program that will churn out thousands of spam emails which will result in your server’s IP address becoming blacklisted. That won’t happen in our case because we impose strict limits on the amount of emails our resellers and their customers can send.

Further Steps

As the account is likely compromised there are a few things the reseller will need to do to get access back to this site. For security, we won’t allow a user access to his account until they agree to perform some tasks to resolve the situation. As this is a WordPress site they will need to

  1. Update WordPress to the latest version
  2. Update all plugins to the latest versions
  3. Change all FTP passwords
  4. Change account password

Assuming the user performs the above steps the account can then be treated as being secure again.

How was this article?

What to do if Maldet reports a hit (Malware) on your Linux server
16 5 100%

All About Linux Server Security VPS Servers

Select Language
We are currently updating our website. Please accept our apologies for any disruption you may see.
+