Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

A php file is being added automatically in file_manager

Discussion in 'Security' started by hyder95, Jul 19, 2016.

  1. hyder95

    hyder95 Active Member

    Joined:
    May 26, 2016
    Messages:
    42
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Lahore
    cPanel Access Level:
    Root Administrator
    Hello,
    There is a Wordpress site hosted on my server and often i get alerts from server that this site is generating spam mails which are in thousands.
    Server sends me alert like this :

    2016-07-19 11:38:13 cwd=/home/domain/public_html 3 args: /usr/sbin/sendmail -t -i
    2016-07-19 11:38:14 cwd=/home/domain/public_html 3 args: /usr/sbin/sendmail -t -i
    Possible Scripts:
    '/home/domain/public_html/wp-login.php'
    '/home/domain/public_html/wp-mail.php'

    Or sometime :
    Sample of the first 10 emails:
    2016-07-19 01:36:11 cwd=/home/domain/public_html/wp-includes/js/thickbox 4 args: /usr/sbin/sendmail -t -i -fgwendolyn_brewer@domain.com

    This path gets changed on next alert and always there is a .php file at given path by server with nasty script which generates spam mails. and to stop spaming i delete that injected file.
    My question is : how files are being added in different directories and who is doing this and how we can track down this with all details like: time stamp, IP, etc etc. and how can we stop this ??

    Thank You.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,160
    Likes Received:
    370
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    This is a wordpress issue mostly. This recent topic and the first comment to it, should be of some use to you:
    wordpress.org/support/topic/hack-attempts-vulnerabilitybug-report
    More great tips:
    inmotionhosting.com/support/edu/wordpress/wp-login-brute-force-attack

    Server side, ConfigServer eXploit Scanner is very useful.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice