Something renames files to filename.ext.suspected

Question

I've experienced a very strange behavior on a Debian server. This server runs a lot of website, most of them CMS, mainly WordPress.

And sometimes something renames my files from wp-db.php to wp-db.php.suspected for example.

And these files seem to be clean, they are standard WP files. We have ClamAV, chkrootkit, rkhunter and maldet installed. I thought first ClamAV causes it, but after making a scan by hand it didn't find anything, plus the files get renamed on the fly, and ClamAV is not a resident AV so...

Has anyone seen such thing before or has an idea what can causes it?

Some searching with Google I found that I'm not the first one who has such an issue. It happens to a lot of different system and CMS, which makes me think it is the system.

Thank you for your help in advance.

Contact your system administrator. – Michael Hampton Jan 12 '16 at 13:43 — Michael Hampton, Jan 12 '16 at 13:43
Lately I became the sysadmin, so it's not an option. :-) – vdavid Jan 13 '16 at 08:34 — vdavid, Jan 13 '16 at 08:34

score 2 · Answer 1 · edited May 23 '17 at 11:33

2

Install WordFence in WordPress and see if it finds any not-original WordPress files. As per this thread, it sounds like your server has been compromised:

https://wordpress.org/support/topic/link-templatephpsuspected/page/2

Also see here:

https://stackoverflow.com/questions/32835796/php-file-automatically-renamed-to-php-suspected

You should check your logs (increase log levels if needed) and find out who is triggering these things. With Fail2Ban you can then automatically ban the hackers based on their behaviour.

edited May 23 '17 at 11:33

Community

1

answered Jan 12 '16 at 13:58

JayMcTee

3,923
1
13
22

1

Thank you for your answer Jay. I will give them a shot later. – vdavid Jan 13 '16 at 08:37

Something renames files to filename.ext.suspected

1 Answers1