Account compromised can't delete files

dmcsatl

Registered
Nov 20, 2014
1
0
1
Atlanta, Georgia, United States
cPanel Access Level
Root Administrator
I saw a few threads on this put nothing there helped me.

I saw that one of my accounts were compromised causing high server loads. I find some files such as in a new directory "log" with the file "error.php".

I tried deleting it but it keeps reappearing. Meaning I run the rm -rf error.php command under root, then it appears the file to be removed but then I run ls -l and the file is back. I tried "chown", "chmod", chattr -i, etc. nothing seems to work.

the output for chattr -i is "-----------e" not sure what that means

Cpanel is not working either.
 

24x7ss

Well-Known Member
Sep 30, 2014
272
17
68
India
cPanel Access Level
Root Administrator
Twitter
Hello:)

I would suggest you to check the logs for the root cause of these files getting uploaded repeatedly. I suspect these files are getting uploaded using POST method and there must a file under that account using which these files are getting uploaded. You may also want to check FTP logs and cPanel access logs even though the panel is not working.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
Hello :)

I highly suggest consulting with a qualified system administrator or security specialist if you are not sure how to proceed. Forum posts will offer some help, but it's no substitute for a full investigation of the account or an audit of the overall security of your system.

Thank you.