Hosting service identified Cornerstone files to be malicious

Hosting service identified Cornerstone files to be malicious and blocked ports 80, 443, 465, 587 and 8080 on my shared server.
What should I do?
Here’s the exact message I received;

Dear Customer,

As provider of Shared Hosting services, we monitor the usage of all our customers to ensure that our Quality of Service is not adversely affected. Our goal is to ensure that one customer should not affect all the other customers on the same server.

As part of our routine monitoring, we have observed that some of the files hosted on this server belonging to hosted under your account, has some malicious files hosted. In order to prevent blacklisting of our service with various service providers, we have blocked outbound port 80, 443, 587 and 465 for this domain name as a precautionary measure. Here are the details of the files that were detected to be malicious.


We strongly suggest you to scan all the above listed files for any vulnerabilities. If the files are part of some plugins of your CMS, then we suggest you to update the plugin to the latest version or contact the plugin developer directly.

And this is what my cPanel Port 80 page shows;

Outbound Port 80, 443, 465, 587 and 8080 and for your account are BLOCKED

Reason for the port block
**During our regular scans, we have found malicious files in your account which may be infected with malware. **
Here is the list of files our scanning has identified :


Please clean up files listed above using virus/malware scanners. DO NOT delete the files directly as they may be important for your website to function. Kindly consult your/plugin developer before deleting and ensure that you have a backup on your local computer.


Hi there,

I’m sorry to hear you’re running into this. This is something we’ve seen a few cases of today. After investigating, we’ve found this to be a false positive with the ClamXAV scanner.

That file (cs-vendor.js) contains all of the javascript dependencies needed for Cornerstone’s Ember.js application. It’s not dangerous, but does have some advanced data manipulation libraries, including client side base64 encoding/decoding. Similar technology is used by viruses that wish to obscure data, so I can see why a false positive may be occurring. I’ve reached out to ClamXAV to add the file to their whitelist.

OK Alex.
I am on Bluehost.
So you are assuming they are using ClamXAV?
I will disable the auto-activated port block via my admin interface.
Also I should not delete that js file, disregarding what suggested by the Bluehost message, right?
You say this would be safe?

I just ran into this trying to upload the latest version of Pro via the file manager on my server (a liquidweb VPS).
“The file you uploaded,, contains a virus so the upload was canceled: Txt.Downloader.Generic-6398289-0 FOUND”
It loaded fine through the WP Theme upload file option though.

Hey There,

Thanks for updating this thread.
We appreciate the information you have shared with your experience about this.


Aside from sharing our “experiences”,
I am paralyzed as I am not able to login to my WP admin page due to the fact that all major ports I mentioned in my first post above are currently blocked by the hosting provider.
I am assuming are going to take a timely action in order to solve this situation swiftly.
Looking forward to hear the good news soon.

Hi There,

Please contact your Hosting support and ask how you can request to unblock those ports. Usually, it’s on the cPanel under the “Health Checks and Monitoring” tab.


I had learned how to unblock the ports via the cPanel right away.
The problem is that their system re-activates blocking after I unblock.
I have done this several times and those crucial ports are still blocked.
There should be something to be done to stop ClamXAV identifying that file as malicious.


Our development team have already reached out to ClamXAV, we’ll wait for their reply and see what we can do from our end.


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.