public_html/cron.php is treated as malware.

Get help with installation and running phpBB 3.1.x here. Please do not post bug reports, feature requests, or extension related questions here.
Anti-Spam Guide
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

NOTE: phpBB 3.1.x is at its End of Life stage and support will NOT be provided after July 1st, 2018.
Anuj Dhawan
Registered User
Posts: 375
Joined: Sat Aug 10, 2013 6:44 pm

public_html/cron.php is treated as malware.

Post by Anuj Dhawan »

Hi,

I got an email from my host stating that public_html/cron.php is treated as malware and so the account is suspended and the website can not be reached. Have been talking to them but the Tech Support staff says, "we offer services to find, fix, and prevent malware." To this I said, if it's "malware", please help me to fix that as you can help with that. "We don't have anyone who would be able to walk you through the removal" was the answer.

Said all that, can someone please guide me on this. This is just not my forte. :(
Last edited by Anuj Dhawan on Wed Mar 29, 2017 1:30 pm, edited 1 time in total.
Thanks,

User avatar
david63
Registered User
Posts: 17054
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: public_html/cron.php is treated as malware.

Post by david63 »

Anuj Dhawan wrote:
Wed Mar 29, 2017 1:26 pm
can someone please guide me on this.
Change host
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

Anuj Dhawan
Registered User
Posts: 375
Joined: Sat Aug 10, 2013 6:44 pm

Re: public_html/cron.php is treated as malware.

Post by Anuj Dhawan »

david63 wrote:
Wed Mar 29, 2017 1:28 pm
Anuj Dhawan wrote:
Wed Mar 29, 2017 1:26 pm
can someone please guide me on this.
Change host
That's very much on the cards but what should I do for now? I need the website up and running until I plan to do that.
Last edited by Anuj Dhawan on Wed Mar 29, 2017 1:35 pm, edited 1 time in total.
Thanks,

User avatar
david63
Registered User
Posts: 17054
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: public_html/cron.php is treated as malware.

Post by david63 »

Anuj Dhawan wrote:
Wed Mar 29, 2017 1:31 pm
That's very much on the cards but what should I do for now?
I doubt that there is very much that you can do. If their security is set such that software that is running on thousands of sites around the world without any problems is flagging up this error then finding a host that knows what they are doing is the only answer.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

User avatar
Lumpy Burgertushie
Registered User
Posts: 67051
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: public_html/cron.php is treated as malware.

Post by Lumpy Burgertushie »

you could try asking for level two support. the ones that answer the phone/chat usually only know how to turn the pages in their book and tell you to try unplugging the computer etc.

also, just in case, download a full copy of phpbb from here. unzip it to your computer.
using ftp only, upload the cron.php file to the server letting it overwrite the one that is there.

contact support, have them run their check again.

if it fails again ask them why it works in hundreds of thousands of other sites running phpbb but just not on their server.

ask them why it worked one day and not the next, what did they change to make it stop working?

this is most likely going to be something they have done but either don't know or don't understand how to setup their own servers properly.

and, as was said, find a new host that knows what they are doing.


robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.3 Styles by PlanetStyles.net

If a tree falls in the forest and nobody is there, does it make a sound?

Anuj Dhawan
Registered User
Posts: 375
Joined: Sat Aug 10, 2013 6:44 pm

Re: public_html/cron.php is treated as malware.

Post by Anuj Dhawan »

Thanks for the pointers Robert.
also, just in case, download a full copy of phpbb from here. unzip it to your computer.
using ftp only, upload the cron.php file to the server letting it overwrite the one that is there.
Did that already and waiting for their response now.

I'm just thinking, if my website has been compromised, how do I know about it? Well, I can understand that the reposne to it can be too vast to be answered in a thread but just thinking if cron.php can be compromised!? If yes, what harm it might do?
Thanks,

User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 50984
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: public_html/cron.php is treated as malware.

Post by stevemaury »

If the cron.php on the server has the same filesize and same number of lines as the file from a fresh download, it is almost certainly not compromised. If it does not, see:

If your board has been hacked, please do the following before making any modifications to your board (this includes changing passwords, editing files, running the Support Toolkit, etc.):
  1. Save an archive file comprising copies of all the files (this can be done by creating a zip or tarball of the files).
  2. Save a copy of the database.
  3. Save the server access logs for the time of the hack (they may be available in the “logs” directory on the server, in your host’s control panel or only by request directly from your host).
  4. File a report in the incident tracker. Attach the items from steps 1-3 when you file the report or upload them to a secure location for the incident investigation team to download. Please do not start a new topic on the board, the proper place for incidents reports is the tracker.
For REALLY good and VERY inexpensive hosting CLICK HERE

I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)

Anuj Dhawan
Registered User
Posts: 375
Joined: Sat Aug 10, 2013 6:44 pm

Re: public_html/cron.php is treated as malware.

Post by Anuj Dhawan »

stevemaury wrote:
Thu Mar 30, 2017 1:01 pm
If the cron.php on the server has the same filesize and same number of lines as the file from a fresh download, it is almost certainly not compromised.
It was of just same - lines, content and size. Compared in Notepad++. Though I've replaced it with the one from phpBB package from here - followed up with host and "their admins are working on it", well. Just fyi - I'm using phpBB 3.1.10, at the moment.

Though I'll follow up further steps you've suggested just to make sure that all is well. Thanks for the direction.
Thanks,

Anuj Dhawan
Registered User
Posts: 375
Joined: Sat Aug 10, 2013 6:44 pm

Re: public_html/cron.php is treated as malware.

Post by Anuj Dhawan »

There is follow up email from the host which goes like this:
I apologize as this issue was not due to a malware issue, but rather it was due to a large volume of email being sent out from you account as identified in the mail summary below.

<a link directing to the report, on emails, being sent out>

In order to help prevent further issues or account blocks, we recommend updating settings phpBB Digest service to disable certain mailings from site actions. I have removed the restrictions to the site in order to allow you review this. Please let us know if you have any questions in regards to this.
I've modified the settings first for phpBB Digest and later disabled it for some time to see the effect.

That said, the site is up and running but I do see a lot of "residual directories" (perhaps an after effect of "domain scan tool") in the root of website using FileZilla - how do I know which 'clutter' can I remove? Is there a general guideline on that please? (The website is primarily a phpBB board then in another directory I've WordPress installed. There are other sub-rectories with different versions of phpBB and WordPress installed.)
Thanks,

User avatar
RMcGirr83
Recognised Extension Developer
Posts: 21034
Joined: Wed Jun 22, 2005 4:33 pm
Location: Your display
Name: Rich McGirr
Contact:

Re: public_html/cron.php is treated as malware.

Post by RMcGirr83 »

phpBB Digest service to disable certain mailings from site actions.
You are using an unvalidated extension on a live board? That is a no-no.
In times of change, learners inherit the earth, while the learned find themselves beautifully equipped to deal with a world that no longer exists - Eric Hoffer
Former Modifications/Extensions Team Member | My extensions
Appreciate the extensions/mods/support then buy me a beer
All requests for support via PM will be ignored

User avatar
david63
Registered User
Posts: 17054
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: public_html/cron.php is treated as malware.

Post by david63 »

... also you should post that same information in the topic for the Digests extension so that the author, and other users are aware as to what can happen.
Anuj Dhawan wrote:
Tue Apr 04, 2017 8:18 am
how do I know which 'clutter' can I remove?
Compare your board with a vanilla set of phpBB files - although be aware that one, or more, extensions may have created some of the "clutter"
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

Anuj Dhawan
Registered User
Posts: 375
Joined: Sat Aug 10, 2013 6:44 pm

Re: public_html/cron.php is treated as malware.

Post by Anuj Dhawan »

RMcGirr83 wrote:
Tue Apr 04, 2017 9:49 am
phpBB Digest service to disable certain mailings from site actions.
You are using an unvalidated extension on a live board? That is a no-no.
Yes, little too bold I was as it worked fine for months on a test-board. Have learned "no-no" the hard way... :)
Last edited by Anuj Dhawan on Wed Apr 05, 2017 11:30 am, edited 1 time in total.
Thanks,

Anuj Dhawan
Registered User
Posts: 375
Joined: Sat Aug 10, 2013 6:44 pm

Re: public_html/cron.php is treated as malware.

Post by Anuj Dhawan »

david63 wrote:
Tue Apr 04, 2017 10:50 am
... also you should post that same information in the topic for the Digests extension so that the author, and other users are aware as to what can happen.
Yes right, please see this: viewtopic.php?f=456&t=2354426&p=14706016#p14706016.
Compare your board with a vanilla set of phpBB files - although be aware that one, or more, extensions may have created some of the "clutter"
This is how I see it in FileZilla - I'm not talking public_html directory. Under this, public_html is a directory (folder): (not sure if I could convey it well)
FilZillaRoot.png
Thanks,

User avatar
Lumpy Burgertushie
Registered User
Posts: 67051
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: public_html/cron.php is treated as malware.

Post by Lumpy Burgertushie »

don't know what that post means. public_html is where your website is located. including your phpbb board.

so, showing us anything other than your public_html directory is not helping us to help you.

robert

there is really nothing there that could be used to hurt you by anyone seeing an image of it.

robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.3 Styles by PlanetStyles.net

If a tree falls in the forest and nobody is there, does it make a sound?

Anuj Dhawan
Registered User
Posts: 375
Joined: Sat Aug 10, 2013 6:44 pm

Re: public_html/cron.php is treated as malware.

Post by Anuj Dhawan »

Please have a look at these screen shots:
First.png
Second.png
The directories starting with "." seems to crop up after the host complained about "malware". I was asking if they exist like that usually for every host or it is something I should be concerned about?
Thanks,

Locked

Return to “[3.1.x] Support Forum”