Godaddy Malware Email

General General Questions
1

Got this email from Godaday and was wondering if this is something that I need to address or not.

We recently completed a routine security checkup of our servers and platforms. Our scans flagged your mydomain name hosting accounts as containing possible malware.

Please sign in to your hosting account and review the following content and remove or fix the files listed below:

htaccess.spam-seo.suspicious-rewrite.003 - html/.htaccess

rex.multi_vars.004 - html/app/addons/customers_also_bought/init_bck_old.php

rex.link_sequence.001 - html/app/lib/vendor/amazonwebservices/aws-sdk-for-php/_docs/STREAMWRAPPER_README.html

php.backdoor.uploader.006.02 - html/app/lib/vendor/phpmailer/phpmailer/examples/send_file_upload.phps

rex.multi_vars.004 - html/app/payments/paybox_files/_old.php

rex.multi_vars.004 - html/js/addons/discussion/discussion_bck_old.php

rex.multi_vars.004 - html/js/lib/elfinder/_infoold.php

rex.multi_vars.004 - html/var/langs/hr/core_bck_old.php

2

Yes, you most likely have malware from the looks of it.

Tom

3

You should never see a php file in the js directory. That indicates an infection. But before you delete it, scan your entire site (including images) to find where the file is referenced and make the appropriate adjustments. Many of the other files seem to be old files that are not used but seem to have made it into the distributions or you have developers who have modified the files and kept the old ones on the site as backup. I would think the README is a false positive.

4

At one time we had wordpress installed on the same server and it got infected. We removed it a couple of years ago. Some of these file dates are from 2013 to 2015. I just deleted them all except

htaccess.spam-seo.suspicious-rewrite.003 - html/.htaccess

I checked the .htaccess and it looks ok.

Thanks for the help.

And @tbirnseth. What would you recommend for a scanner for our stite?

I used sucuri.net and it checked out ok.

5

Our EZ Admin Helper has a scanner for known cs-cart specific intrusions. It provides lots of other features too (see the Attachment tab for docs) or go here.