Hosting account suspended, suspicious error how to resolve

epictechz-lab

Error 🇦

A general Yara scan of the hacktack account found the following suspicious items...
_ File: /home2/hacktack/public_html/assets/extensions/the-turk-flamoji/dist/vendors_emoji-button-message-mi.js looks suspicious. Changed on [2022-12-16 02:31:20]
_ [Triggered: Rule_763] See: https://cpaneltech.ninja/cgi-bin/triggered.cgi?Rule_763
_ File: /home2/hacktack/public_html/vendor/illuminate/validation/NotPwnedVerifier.php looks suspicious. Changed on [2023-01-21 07:38:13]
_ [Triggered: Rule_1365] See: https://cpaneltech.ninja/cgi-bin/triggered.cgi?Rule_1365
_ File: /home2/hacktack/public_html/vendor/voku/portable-ascii/src/voku/helper/data/x07f.php looks suspicious. Changed on [2022-07-11 19:21:53]
_ [Triggered: Rule_1853] See: https://cpaneltech.ninja/cgi-bin/triggered.cgi?Rule_1853
_ File: /home2/hacktack/public_html/vendor/jaybizzle/crawler-detect/raw/Crawlers.json looks suspicious. Changed on [2023-01-21 07:38:16]
_ [Triggered: Rule_750] See: https://cpaneltech.ninja/cgi-bin/triggered.cgi?Rule_750
_ File: /home2/hacktack/public_html/vendor/jaybizzle/crawler-detect/raw/Crawlers.txt looks suspicious. Changed on [2023-01-21 07:38:16]
_ [Triggered: Rule_750] See: https://cpaneltech.ninja/cgi-bin/triggered.cgi?Rule_750
_ File: /home2/hacktack/public_html/vendor/jaybizzle/crawler-detect/src/Fixtures/Crawlers.php looks suspicious. Changed on [2023-01-21 07:38:16]
_ [Triggered: Rule_750] See: https://cpaneltech.ninja/cgi-bin/triggered.cgi?Rule_750
_ File: /home2/hacktack/public_html/vendor/the-turk/flarum-flamoji/assets/dist/vendors_emoji-button-message-mi.js looks suspicious. Changed on [2022-07-11 21:53:43]
_ [Triggered: Rule_763] See: https://cpaneltech.ninja/cgi-bin/triggered.cgi?Rule_763
_ File: /home2/hacktack/public_html/vendor/the-turk/flarum-flamoji/js/dist/vendors_emoji-button-message-mi.js looks suspicious. Changed on [2022-07-11 21:53:47]
_ [Triggered: Rule_763] See: https://cpaneltech.ninja/cgi-bin/triggered.cgi?Rule_763
_ File: /home2/hacktack/public_html/vendor/the-turk/flarum-flamoji/js/dist/vendors_emoji-button-message-mi.js.map looks suspicious. Changed on [2022-07-11 21:53:47]
_ [Triggered: Rule_763] See: https://cpaneltech.ninja/cgi-bin/triggered.cgi?Rule_763
_ File: /home2/hacktack/public_html/vendor/illuminate/cache/PhpRedisLock.php looks suspicious. Changed on [2023-01-21 07:38:14]
_ [Triggered: webshell_php_obfuscated_3]

How to fix 🥺

@SychO
@luceos

clarkwinkelmann

epictechz-lab does the date mentioned coincides with you running a Composer command or not?

You should make sure those files have not been tempered with. You can compare with original files on GitHub, or just delete vendor folder (or just rename it so you can compare later) and run composer install to download every one of these files fresh from the source.

If you still have issues with a fresh vendor folder, then you should look at the content of the files and the security rules to try to find what is being flagged. We can't exclude malware being pushed to Packagist but that's very unlikely, more likely it's a false positive or your server itself has been compromised and the files are modified by a process running on the server.