The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Account compromised can't delete files

Discussion in 'General Discussion' started by dmcsatl, Nov 20, 2014.

  1. dmcsatl

    dmcsatl Registered

    Joined:
    Nov 20, 2014
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Atlanta, Georgia, United States
    cPanel Access Level:
    Root Administrator
    I saw a few threads on this put nothing there helped me.

    I saw that one of my accounts were compromised causing high server loads. I find some files such as in a new directory "log" with the file "error.php".

    I tried deleting it but it keeps reappearing. Meaning I run the rm -rf error.php command under root, then it appears the file to be removed but then I run ls -l and the file is back. I tried "chown", "chmod", chattr -i, etc. nothing seems to work.

    the output for chattr -i is "-----------e" not sure what that means

    Cpanel is not working either.
     
  2. 24x7ss

    24x7ss Well-Known Member

    Joined:
    Sep 30, 2014
    Messages:
    271
    Likes Received:
    16
    Trophy Points:
    18
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello:)

    I would suggest you to check the logs for the root cause of these files getting uploaded repeatedly. I suspect these files are getting uploaded using POST method and there must a file under that account using which these files are getting uploaded. You may also want to check FTP logs and cPanel access logs even though the panel is not working.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I highly suggest consulting with a qualified system administrator or security specialist if you are not sure how to proceed. Forum posts will offer some help, but it's no substitute for a full investigation of the account or an audit of the overall security of your system.

    Thank you.
     
Loading...

Share This Page