Resolved AbuseIPDB - spurious network activity from our server to third-party networks

[weareimpulse]

Server operating system version

Ubuntu 22.04.5 LTS

Plesk version and microupdate number

Plesk Obsidian 18.0.65 Update #2 Web Host Edition

hi, does anyone have any advice for our business/server?

we currently have a server that hosts around 40 WordPress sites - and a few months ago, we were contacted by our server providers to say that our server had been reported for complaints of spurious network activity from our server to third-party networks.

We've been through all the WP sites and updated the WP core version, and the plugins to the latest releases but we're still getting reports from:

AbuseIPDB - IP address abuse reports - Making the Internet safer, one IP at a time

www.abuseipdb.com

It was suggested to me to install clamAV on the server, and it has found a couple of infected files:

14 files in /usr
4 in /opt/
and 4 in /etc/


/usr/local/maldetect/sigs/md5v2.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs/md5.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs/hex.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs/rfxn.yara: {HEX}php.gzbase64.inject.457.UNOFFICIAL FOUND
/usr/local/maldetect/clean/gzbase64.inject.unclassed: {HEX}php.gzbase64.inject.457.UNOFFICIAL FOUND
/usr/local/maldetect/sigs.old/md5v2.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs.old/md5.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs.old/hex.dat: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs.old/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs.old/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/usr/local/maldetect/sigs.old/rfxn.yara: {HEX}php.gzbase64.inject.457.UNOFFICIAL FOUND
/usr/local/maldetect/tmp/.runtime.hexsigs.42416: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
LibClamAV Warning: cli_scanxz: decompress file size exceeds limits - only scanning 27262976 bytes

/etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_4-plesk/RESPONSE-955-WEB-SHELLS.conf: YARA.lamashell_php.UNOFFICIAL FOUND
/etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_4-plesk/web-shells-php.data: {HEX}php.cmdshell.antichat.202.UNOFFICIAL FOUND
/etc/nginx/modsecurity.d/rules/owasp_modsecurity_crs_4-plesk/RESPONSE-955-WEB-SHELLS.conf: YARA.lamashell_php.UNOFFICIAL FOUND
/etc/nginx/modsecurity.d/rules/owasp_modsecurity_crs_4-plesk/web-shells-php.data: {HEX}php.cmdshell.antichat.202.UNOFFICIAL FOUND


/opt/psa/admin/plib/modules/revisium-antivirus/library/externals/ai-bolit-hoster.php: {HEX}php.gzbase64.inject.460.UNOFFICIAL FOUND
/opt/psa/admin/plib/modules/revisium-antivirus/library/externals/ai-bolit.php: {HEX}php.gzbase64.inject.460.UNOFFICIAL FOUND
/opt/psa/admin/plib/modules/revisium-antivirus/library/externals/procu2.php: {HEX}php.gzbase64.inject.460.UNOFFICIAL FOUND
/opt/psa/var/modules-packages/revisium-antivirus.zip: {HEX}php.gzbase64.inject.460.UNOFFICIAL FOUND


could these be the culprits?

are these safe to delete??

Any other advice would be greatly appreciated!!!

Many thanks

Tim

 

[Martin Dias]

all detected files are from other security options, so all of that on first sight look like false positives

 

[weareimpulse]

thanks for the advise

 

[weareimpulse]

all detected files are from other security options, so all of that on first sight look like false positives

got this fixed - thanks for your suppport - was a hacked plugin in the end