This was the report of running maldetect:
PATH: /
TOTAL FILES: 384772
TOTAL HITS: 6
TOTAL CLEANED: 0
WARNING: Automatic quarantine is currently disabled, detected threats are still accessible to users!
To enable, set quarantine_hits=1 and/or to quarantine hits from this scan run:
/usr/local/sbin/maldet -q 190130-1632.12938
FILE HIT LIST:
{HEX}php.gzbase64.inject.452 : /var/lib/clamav/rfxn.yara
{YARA}Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php : /var/lib/clamav/rfxn.ndb
{YARA}Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php : /var/lib/clamav/rfxn.hdb
{HEX}php.exe.globals.411 : /var/www/ncp-web/index.php
{HEX}php.nested.base64.640 : /etc/modsecurity/owasp-modsecurity-crs/util/regression-tests/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933160.yaml
{HEX}php.gzbase64.inject.452 : /root/software/linux-malware-detect/files/clean/gzbase64.inject.unclassed
Linux Malware Detect v1.6.3 < proj@rfxn.com >
I hope these are false positives? I googled some of them and it doesn’t sound good. Is my NC(Pi) hacked and infected? How is that possible?
I quarantained the files. Then index.php from /www/ncp-web was moved there as well. So I chose to move it back and now it just doesn’t work anymore. Then I downloaded index.php from github and now I get AES encryption things.
Does anyone else also gets these results on those files with maldetect? I have a backup but it might be infected, just like one older one.
I’m afraid I have to install everything all over again?
Unless these are false positives, which I’m hoping for. Maybe everyone has them right from after freshly installing NCP…
(on an extra note: after enabling encryption I uploaded files, unplugged the external device and could open the uploaded files on another device)