Maintaining a secure website is crucial for protecting sensitive information and ensuring a seamless user experience. Unfortunately, cybercriminals frequently target websites, injecting malicious code and compromising websites.

In this article will guide you through identifying and removing viruses from your website using cPanel, helping you restore your site’s integrity and protect it from future threats.

By going through this article step-by-step, you will know how to scan your cPanel to detect and eliminate malware to ensure your websites remain secure and trustworthy. You may also see our expert step-by-step guide on how to get a cPanel (step-by-step guide).

How to delete malicious directories and error from your cpanel

One of the tools for managing websites is cPanel, in this way, attackers try to add malicious directories into the cpanel if they are trying to hack or spam a website.

When your website is hacked, it may not stop working. At times, a hacked website can be effectively running. The aim of hackers is different. Sometimes, some hackers only demand some of your website visitors to automatically visit their website, some hackers like to degrade the appearance of your website in search engine results (for example turning your website description and title on search engines into fictitious language that you have never written on your website).

The threat of website hacking is a very serious issue. Depending on the type of code that the hacker added to your cpanel, they may let your website send spamming emails, let all your indexed pages disappear completely, make the changes you make on your website not take effect, etc. That’s why it’s important to pay attention to the security of your cPanel account.

These hackers may add a directory to your cpanel, change the code in the directories, or delete a directory in your cpanel. Experts point out that weak passwords cause this, usage of untested plugins and themes on a website gives room for hackers. In this article, we are only going to show you how to remove malicious directories, edited directories, and errors in your cpanel that affect the smooth running of your websites.

Now, let’s get started.

How to delete malicious directories in your cPanel

To know the malicious directories in your cPanel that you should delete, you can use Virus Scanner in your cPanel. The guide below is how to do that.

#1. Login to your cPanel and locate the Virus scanner in the advanced section by scrolling or searching in the search bar.

virus scanner in a cPanel

#2. Click the virus scanner button and select the entire home directory. Then click the scan now button.

cPanel entire home directory

Wait for some time for the scanning to completely take place. While you are waiting, you can see the scanning report.

cPanel scanning report

When the scanner progress reaches 100%, a successful notification below will be displayed. Click the close button.

scanner completed

#3. After that, visit your cpanel and click the file manager button in the files section.

File manager in the cPanel

#4. Go to the /home/cPanel_username directory. The scan report is uploaded to it. Usually, its name contains your cPanel username and the date when the scanning was done, e.g., scanreport-nctest-Mar_17_2020_16h_53m.txt.

scan report

#5. Locate the file, right-click it, and click the Edit button.

Now, you can find all directories in your cpanel that are being corrupted or added by bots attackers, or hackers using this scanned report.

How to determine malicious directories in your cPanel

Below you can find malicious directories in the panel from the pasted text provided from our panel.

———– SCAN REPORT ———–
TimeStamp: Thu, 16 May 2024 12:53:50 -0400
(/usr/sbin/cxs –clamdsock /var/clamd –dbreport –defapache nobody –doptions Mv –exploitscan –nofallback –filemax 50000 –noforce –html –ignore /etc/cxs/cxs.ignore.manual –options mMOLfSGchexdnwZDRru –noprobability –qoptions Mv –report /home/fastecpq/scanreport-fastecpq-2024-05-16T16:53:48.873715.txt –sizemax 1000000 –ssl –summary –sversionscan –timemax 30 –nounofficial –user fastecpq –virusscan –vmrssmax 2000000 –waitscan 0 –xtra /etc/cxs/cxs.xtra.manual)

Scanning /home/fastecpq:

‘/home/fastecpq/.nc_plugin/hidden’

World writeable directory

Scan Timeout (30 secs) while processing:

‘/home/fastecpq/.trash/wordpress-6.5.2.zip’

‘/home/fastecpq/.trash/book.fastknowers.com/wp-content/plugins/astra-sites/astra-sites.php’

Script version check [OLD] [Starter Templates v4.2.2 < v4.2.3]

‘/home/fastecpq/.trash/book.fastknowers.com/wp-content/plugins/woocommerce/includes/admin/class-wc-admin-menus.php’

Universal decode regex match = [universal decoder]

‘/home/fastecpq/.trash/book.fastknowers.com/wp-content/plugins/woocommerce/src/Internal/Admin/WcPayWelcomePage.php’

Universal decode regex match = [universal decoder]

‘/home/fastecpq/.trash/book.fastknowers.com/wp-content/plugins/woocommerce/vendor/maxmind-db/reader/ext/maxminddb.c’

Suspicious file type [application/x-c]

‘/home/fastecpq/.trash/book.fastknowers.com/wp-content/themes/astra/admin/includes/class-astra-menu.php’

Universal decode regex match = [universal decoder]

‘/home/fastecpq/.trash/domain.fastknowers.com/wp-content/languages’

World writeable directory

‘/home/fastecpq/.trash/domain.fastknowers.com/wp-content/languages/plugins’

World writeable directory

‘/home/fastecpq/.trash/domain.fastknowers.com/wp-content/plugins/updraftplus/vendor/guzzle/guzzle/src/Guzzle/Service/Command/LocationVisitor/Request/admin.php’

Decode regex match = [decode regex: 1]

‘/home/fastecpq/.trash/domain.fastknowers.com/wp-content/themes/astra/admin/includes/class-astra-menu.php’

Universal decode regex match = [universal decoder]

‘/home/fastecpq/.trash/optimole-wp/vendor/codeinwp/themeisle-sdk/assets/js/build/tracking/class-add.php’

Known exploit = [Fingerprint Match (fp)] [PHP Exploit [P2226]]

‘/home/fastecpq/.trash/optimole-wp/vendor/codeinwp/themeisle-sdk/assets/js/build/tracking/random2.php’

Known exploit = [Fingerprint Match (fp)] [Hacker Sig Exploit [P2071]]

‘/home/fastecpq/.trash/optimole-wp/vendor/codeinwp/themeisle-sdk/assets/js/build/tracking/wp-ddd.php’

Known exploit = [Fingerprint Match (fp)] [PHP Exploit [P2226]]

‘/home/fastecpq/.trash/woocommerce/includes/admin/class-wc-admin-menus.php’

Universal decode regex match = [universal decoder]

‘/home/fastecpq/.trash/woocommerce/src/Internal/Admin/WcPayWelcomePage.php’

Universal decode regex match = [universal decoder]

‘/home/fastecpq/.trash/woocommerce/vendor/maxmind-db/reader/ext/maxminddb.c’

Suspicious file type [application/x-c]

‘/home/fastecpq/.trash/wp-live-chat-support/admin/class-wplc-plugin-settings.php’

Universal decode regex match = [universal decoder]

Scan Timeout (30 secs) while processing:

‘/home/fastecpq/public_html/old files/wordpress-6.0.zip’

‘/home/fastecpq/public_html/old files/wp-includes/version.php’

Script version check [OLD] [Wordpress v6.0.3 < v6.5.3]

‘/home/fastecpq/public_html/wp-content/plugins/ad-inserter/includes/google-api/vendor/phpseclib/phpseclib/phpseclib/Crypt/EC/Curves/sect571k1.php’

Universal decode regex match = [universal decoder]

‘/home/fastecpq/public_html/wp-content/plugins/ad-inserter/includes/google-api/vendor/phpseclib/phpseclib/phpseclib/Crypt/EC/Curves/sect571r1.php’

Universal decode regex match = [universal decoder]

‘/home/fastecpq/public_html/wp-content/plugins/ad-inserter/includes/google-api-8/vendor/phpseclib/phpseclib/phpseclib/Crypt/EC/Curves/sect571k1.php’

Universal decode regex match = [universal decoder]

‘/home/fastecpq/public_html/wp-content/plugins/ad-inserter/includes/google-api-8/vendor/phpseclib/phpseclib/phpseclib/Crypt/EC/Curves/sect571r1.php’

Universal decode regex match = [universal decoder]

‘/home/fastecpq/rakaalservices.com/wp-content/plugins/megamenu/classes/pages/page.php’

Universal decode regex match = [universal decoder]

‘/home/fastecpq/rakaalservices.com/wp-content/themes/astra/admin/includes/class-astra-menu.php’

Universal decode regex match = [universal decoder]

‘/home/fastecpq/rakaalservices.com/wp-content/themes/furnitrix/gard0.php’

Decode regex match = [decode regex: 1]

‘/home/fastecpq/rakaalservices.com/wp-content/wpvivid_uploads/Isolate/export.php’

Universal decode regex match = [universal decoder]

Decode regex match = [decode regex: 1]

‘/home/fastecpq/rehaadglobal.com/wp-content/plugins/astra-sites/astra-sites.php’

Script version check [OLD] [Starter Templates v4.2.2 < v4.2.3]

‘/home/fastecpq/rehaadglobal.com/wp-content/themes/astra/admin/includes/class-astra-menu.php’

Universal decode regex match = [universal decoder]

‘/home/fastecpq/shop.rakaalservices.com/wp-content/plugins/astra-sites/astra-sites.php’

Script version check [OLD] [Starter Templates v4.2.2 < v4.2.3]

‘/home/fastecpq/shop.rakaalservices.com/wp-content/plugins/header-footer-elementor/header-footer-elementor.php’

Script version check [OLD] [Elementor Header & Footer Builder v1.6.28 < v1.6.31]

‘/home/fastecpq/shop.rakaalservices.com/wp-content/plugins/megamenu/classes/pages/page.php’

Universal decode regex match = [universal decoder]

‘/home/fastecpq/shop.rakaalservices.com/wp-content/plugins/ultimate-addons-for-gutenberg/ultimate-addons-for-gutenberg.php’

Script version check [OLD] [Spectra v2.13.1 < v2.13.2]

‘/home/fastecpq/shop.rakaalservices.com/wp-content/plugins/ultimate-addons-for-gutenberg/admin-core/inc/admin-menu.php’

Universal decode regex match = [universal decoder]

‘/home/fastecpq/shop.rakaalservices.com/wp-content/plugins/ultimate-addons-for-gutenberg/includes/blocks/forms/frontend.css.php’

Universal decode regex match = [universal decoder]

‘/home/fastecpq/shop.rakaalservices.com/wp-content/plugins/woocommerce/includes/admin/class-wc-admin-menus.php’

Universal decode regex match = [universal decoder]

‘/home/fastecpq/shop.rakaalservices.com/wp-content/plugins/woocommerce/src/Internal/Admin/WcPayWelcomePage.php’

Universal decode regex match = [universal decoder]

‘/home/fastecpq/shop.rakaalservices.com/wp-content/plugins/woocommerce/vendor/maxmind-db/reader/ext/maxminddb.c’

Suspicious file type [application/x-c]

‘/home/fastecpq/shop.rakaalservices.com/wp-content/plugins/wp-live-chat-support/admin/class-wplc-plugin-settings.php’

Universal decode regex match = [universal decoder]

‘/home/fastecpq/shop.rakaalservices.com/wp-content/themes/astra/admin/includes/class-astra-menu.php’

Universal decode regex match = [universal decoder]

———– SCAN SUMMARY ———–
Scanned directories: 13920
Scanned files: 106893
Ignored items: 451
Suspicious matches: 40
Viruses found: 0
Fingerprint matches: 3
Data scanned: 3111.10 MB
Scan peak memory: 395788 kB
Scan time/item: 0.024 sec
Scan time: 2879.199 sec

Pay attention to the scanned report. It contains the following information:

  • path to the directory or file (e.g. ‘/home/cPanel_username/public_html/vendor/laravel/framework/src/Illuminate/Filesystem/Filesystem.php’) ;
  • scan result (e.g. # Regular expression match = [symlink\s*\(]).

Now that you have know the directories in your cpanel which are being corrupted, you need to delete them from your cpanel. Please read the table below. It will show you the directories in your scanned reports which you need to delete.

ResultDescriptionAction to take
# ClamAV detected virusAntivirus software has found a potentially dangerous file with malware.Remove the file.
# Suspicious file type [application/x-c]

# MS Windows Binary/Executable [application/x-winexec]

# (compressed file: Moxie.dll [depth: 1]) MS Windows

# Binary/Executable [application/x-winexec]

# MS-DOS Binary/Executable [application/x-dosexec]
Antivirus software has found Windows binary or executable files.

Such files cannot be executed on a Linux-based OS. You would not
normally expect to find one within a cPanel account .

You can discover a Trojan file among them.
Remove the file.
# Linux Binary/Executable [application/x-sharedlib]Antivirus software has found Linux binary or executable files.
Such files can be executed on a Linux-based OS. Still, you would not normally expect to find one within a cPanel account.
If a Linux binary or executable file is located in a cPanel account, it is most likely an exploit that remains hidden.
Remove the file.
# Known exploit = [Fingerprint Match]Antivirus software considers a file as an exploit.
An exploit can be a program, a piece of code, or even just a string of characters. It takes advantage of a program. Then, this program acts in an unexpected way, which results in undesirable behavior. Also, exploits are maliciously used to gain unauthorized access.
Unless you know the purpose of this file, remove it from your cPanel. If it is related to installed software and you need it, either clean it or upload again from a trusted source.
PLEASE NOTE: It is strongly recommended that you use content only from the official source.
# Symlink toThe file is a symbolic link.

It consists of a special type of file that serves as a reference to another file or directory.

Some default files require symlinks for the proper work of cPanel services:

‘/home/cPanel_username/.cagefs/opt/alt/phpXX/link/conf’
‘/home/cPanel_username/access-logs’
‘/home/cPanel_username/.cagefs/tmp/mysql.sock’

 
But the custom symlinks (e.g. a symlink to files outside of your cPanel account) may cause serious security breaches.
Pay attention to the custom symlinks. Such files should be removed from your account.

Symlinks to default cPanel files can be ignored.
# SocketA socket is typically used to transfer data between two separate processes. You would not expect to normally find one within a cPanel account.Unless you know the purpose of this file or it is related to the software installed from the trusted source, remove it from your cPanel.
# Regular expression match = [symlink\s*\(]A file contains ‘symlink(s)’ expression as a comment or variable.It is a false-positive. The file can be ignored.
# Regular expression match = [\n(?!\s*(//|\#|\*)).*/etc/passwd]A file contains ‘/etc/passwd’ expression as a comment or variable.It is a false-positive. The file can be ignored.
# Regular expression match = [\n(?!\s*(//|\#|\*)).*\.ssh/]A file contains ‘/.ssh’ expression as a comment or variable. Such files are potentially harmful to your account as they allow remote access using SSH keys.Unless you know the purpose of this file or it is related to the software installed from the trusted source, remove it from your cPanel.
# Universal decode regex matchA file contains some string encoded with a common encoder, e.g. base64. They are often used to hide malicious code.Unless you know the purpose of this file or it is related to the software installed from the trusted source, remove it from your cPanel.
# Script version check [OLD]The installation, plugin or theme version is outdated. Software updates are important because they check for the bugs and vulnerabilities found in the previous versions. A ‘hole’ in one can affect your entire installation as well as your cPanel account.Ensure that your installations are up to date.
# World writeable directoryPermissions for a directory are set to 777.

It is recommended to have default permissions assigned to website files and folders.
They are 644 for files and 755 for folders.

However, it is safe to have permissions set to 777 for default cPanel folders:

/home/cPanel_user/.cagefs/var/cache
/home/cPanel_user/.cagefs/var/php
/home/cPanel_user/.cagefs/var/run
Update permissions for the indicated directory.
# Scan Timeout (30 seconds) while processingThe scan process has been interrupted.You can put in a request to our Support Team to scan it additionally.
# Clamd Error forAntivirus software considers that the file is located inside the service directory, therefore, it should not be scanned.The file can be ignored.

Before you delete or edit any directory in your cpanel, please make sure to create a backup. Files with randomly-generated names (e.g. bcwfgi.php) always contain malicious code. Hence, they need to be deleted.

How to delete malicious directories in your cpanel

By now, you have known how to scan and determine malicious directories in your cpanel. The next guide now is showing you how to delete such directories from your cpanel. Watch the video above in full version here.

Now, let us get started.

#1. Login to your cpanel and click the file manager button.

#2. Scroll through your cpanel to meet the directory that you want to delete (e.g, ‘/home/fastecpq/rakaalservices.com/wp-content/themes/furnitrix/gard0.php’) as you have found out from your virus scanner report.

malicious directory that needs to be deleted

If we want to delete the directory in the screen shot above from our cPanel, first of all, we need to visit the home directory (fastecpq or username of the cpanel), then rakaalservices.com, wp-content, themes, furnitrix, and finally gard0.php.

Now, let begin.

#3. In your file manager, navigate to rakaalservices.com and double click it.

#4. Double click the wp-content.

wp-content malicious code

#5. Double themes

themes directories

#6. Double click furnitrix

#7. Hover over on the gard0.php and click the delete button.

malicious file to be deleted

#8. Review the file and click the confirm button

Before you delete any file or directory from your cpanel, you will be notified to review your request first. They will also give you a chance to either select the skip the delete (trash) and permanently delete the trash. If you permanently delete it, you will can never restore it, but if you trash it, you can restore it and get your website back to the way it was incase the file is not the one you should delete.

Please confirm the file in your virus scanner report to the one on the trashing confirmation section before you delete. In this guide, I hope we are correct. The file we want to delete is (/home/fastecpq/rakaalservices.com/wp-content/themes/furnitrix/gard0.php’) and the one that is showing is (/rakaalservices.com/wp-content/themes/furnitrix/gard0.php) which is the same. Thus, we can go ahead and delete it.

Conclusion

Hope this article has shown you the expert step-by-step guide on how to remove malicious errors, codes, files and directories from your website via cPanel. You may also watch the video below for guide.

If you know that this article has helped you, please share it with your friends. Subscribe to our YouTube channel if you haven’t subscribed yet. Could you be able to completely remove malicious files in your cPanel? Please let know via the comment box.

Abdulrazaq Yahaya

Hi. Welcome to Fastknowers. On this blog, I share articles on how to develop your personal and career life. If you did like this article, please share it with others.

Leave a Reply