-
-
Dear all,
we are running the newest version of osticketawesome 1.18.3 on the site https://ticket.edudigital.schule with great success, but have received a warning message from our hosting provider:
—- in German (see translation below) —-
Sehr geehrte Damen und Herren,
durch einen Routinescan wurde Malware auf Ihrem Webspace Account “edudigital.schule” gefunden:
public_html/
./os/osta/opt/language/language-bar.php #1
./os/osta/opt/logo/delete/logo-options.php #1
./os/osta/opt/text/choose-mobile-link.php #1
./os/osta/opt/text/choose-mobile-text.php #1
./os/osta/opt/text/choose-subtext.php #1
./os/osta/opt/text/delete/choose-theme.php #1Malware Signatures:
#1 WEBSHELL_PHP_Writer [author=”Arnim Rupp (https://github.com/ruppde)”]
Wichtige Hinweise zu dieser Liste:
Der mit # gekennzeichnete Teil hinter dem Dateinamen referenziert mit Nummer auf die weiter unten in der Liste gefundenen Malware Signaturen.
Der bösartige Code kann zum Teil in reguläre Dateien Ihrer Website eingeschleust worden sein.
Bitte beachten Sie, dass diese Liste keinen Anspruch auf Vollständigkeit erhebt und auch Dateien enthalten kann, deren Inhalt fälschlicherweise als Malware eingestuft wurde.Upload der entsprechenden Dateien geschah vermutlich über die Verwaltungsoberfläche Ihrer CMS Installation.
Wir haben von einer Sperrung des Accounts abgesehen.
Bitte reinigen Sie Ihren Account gründlich indem Sie die genannten Dateien löschen oder säubern.
Danach spielen Sie bitte ein Update der auf dem Account installierten Software auf die neuste Version ein und ändern Sie alle (!) Passwörter der Website.
Dies beinhaltet das Datenbank-Passwort, Benutzer-Passwörter sowie Administratoren-Passwörter.
Um alle Sicherheitslücken Ihrer Website zu identifizieren und zu schließen oder um das vorhandene Setup zu härten, schlagen wir Ihnen vor, sich an einen Webentwickler zu wenden.— translated version —
English translation:
Dear Sir or Madam,
During a routine scan, malware was detected on your webspace account “edudigital.schule”:
public_html/
./os/osta/opt/language/language-bar.php #1
./os/osta/opt/logo/delete/logo-options.php #1
./os/osta/opt/text/choose-mobile-link.php #1
./os/osta/opt/text/choose-mobile-text.php #1
./os/osta/opt/text/choose-subtext.php #1
./os/osta/opt/text/delete/choose-theme.php #1Malware signatures:
#1 WEBSHELL_PHP_Writer [author=”Arnim Rupp (https://github.com/ruppde)”]
Important notes regarding this list:
The number marked with # after each file name refers to the malware signature listed further below.
Malicious code may, in some cases, have been injected into otherwise legitimate files on your website.
Please note that this list does not claim to be complete and may also include files whose contents were falsely identified as malware.The upload of the affected files most likely occurred via the administration interface of your CMS installation.
We have refrained from suspending the account.
Please thoroughly clean your account by deleting or cleaning the files listed above.
Afterwards, please update all software installed on the account to the latest version and change all website passwords.
This includes the database password, user passwords, and administrator passwords.To identify and close all security vulnerabilities on your website, or to harden the existing setup, we recommend contacting a web developer.
— end of translation —
We hardened the opt directory with a .htaccess so that all events to call the php-files directly are blocked (which was possible before). What else would you advise? Is this an issue that should be addressed in a more profound way?
Kind regards,
Michael Schnirch
Kreismedienzentrum Freiburg
http://www.kmz-freiburg.de
-
-
-
Hi Michael,
Thanks for the detailed report. This is a false positive. All six flagged files are legitimate osTicket Awesome admin configuration handlers in the osta/opt/ directory. They’re part of the Theme Settings panel and handle saving your customizations (language bar, logo management, header text, mobile link/text, and theme selection).
The WEBSHELL_PHP_Writer signature by Arnim Rupp is a heuristic YARA rule that flags any PHP file capable of writing to the filesystem. Since these files need to save your admin settings (logo uploads, text changes, theme choices), they naturally contain file-write operations, which triggers the signature. The hosting provider’s own notice acknowledges this possibility: “this list may also include files whose contents were falsely identified as malware.”
What you did right: Adding .htaccess to block direct access to the osta/opt/ directory is a solid hardening step. These files are only meant to be called internally through the osTicket admin panel, never accessed directly via URL.
What else to do:
Do not delete these files. They are required for your Theme Settings to function (Settings > Theme in the admin panel).
Report the false positive to your hosting provider. Let them know these are part of a commercial osTicket distribution and that the file-write operations are intentional admin functionality. You can point them to osticketawesome.com if they need to verify.
Your .htaccess protection is sufficient. With direct access blocked, these files can only be triggered through authenticated admin sessions, which is the intended behavior.
No passwords need to be changed and no further cleanup is necessary for these specific files. Your installation is not compromised.
I will add an .htaccess file to the /osta/opt directory in the next release so you won’t have to worry about it again in the future when you install an upgrade.
Best regards, Stevland
-
You must be logged in to reply to this topic.