The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

A php file is being added automatically in file_manager

Discussion in 'Security' started by hyder95, Jul 19, 2016.

  1. hyder95

    hyder95 Active Member

    Joined:
    May 26, 2016
    Messages:
    42
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Lahore
    cPanel Access Level:
    Root Administrator
    Hello,
    There is a Wordpress site hosted on my server and often i get alerts from server that this site is generating spam mails which are in thousands.
    Server sends me alert like this :

    2016-07-19 11:38:13 cwd=/home/domain/public_html 3 args: /usr/sbin/sendmail -t -i
    2016-07-19 11:38:14 cwd=/home/domain/public_html 3 args: /usr/sbin/sendmail -t -i
    Possible Scripts:
    '/home/domain/public_html/wp-login.php'
    '/home/domain/public_html/wp-mail.php'

    Or sometime :
    Sample of the first 10 emails:
    2016-07-19 01:36:11 cwd=/home/domain/public_html/wp-includes/js/thickbox 4 args: /usr/sbin/sendmail -t -i -fgwendolyn_brewer@domain.com

    This path gets changed on next alert and always there is a .php file at given path by server with nasty script which generates spam mails. and to stop spaming i delete that injected file.
    My question is : how files are being added in different directories and who is doing this and how we can track down this with all details like: time stamp, IP, etc etc. and how can we stop this ??

    Thank You.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,476
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    This is a wordpress issue mostly. This recent topic and the first comment to it, should be of some use to you:
    wordpress.org/support/topic/hack-attempts-vulnerabilitybug-report
    More great tips:
    inmotionhosting.com/support/edu/wordpress/wp-login-brute-force-attack

    Server side, ConfigServer eXploit Scanner is very useful.
     
Loading...

Share This Page