The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Account Compromised via FTP Access

Discussion in 'Security' started by ambersabre, Sep 18, 2014.

  1. ambersabre

    ambersabre Member

    Joined:
    Sep 18, 2014
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Im hoping somebody can advise me on this situation, i have recently given somebody FTP access to an account on my VPS, who seems to have uploaded some malicious codes to the server, I have deleted most of it and performed numerous system scans using Maldetect through SSH however I am left with a folder in this directory which seems to be a shortcut into the main cpanel directory as I can see files such as 'abrt, adm, bin, clamav, cpanel etc and folders containing other account information mapped to other domain names. I was going to delete the whole directory, but i noticed that the permissions of these files are set to read, write and execute by EVERYBODY including world.
    Can anybody advise me on how to check if the main cpanel files are configured correctly with the right permissions?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    651
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Could you provide an example of a file with permission/ownership values you think are invalid? Note that you should likely terminate the account if you determine it was used for malicious purposes.

    Thank you.
     
  3. ambersabre

    ambersabre Member

    Joined:
    Sep 18, 2014
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello! thanks for your reply,
    Inside the folder in question (which is a folder that has been created in public html directory for a website in a specific account)

    There are these files which are text/x-generic, although when i click edit, there is nothing there.

    cpanel
    cpaneleximfilter
    cpaneleximscanner
    cpanelhorde
    cpanellogaholic
    cpanellogin
    cpanelphpmyadmin...
    daemon
    dovecot...

    nobody,
    ntp
    operator
    postfix
    root
    saslauth
    shutdown
    sshd
    sync
    tcpdump
    uucp.
    vcsa...the list goes on.

    The other folders in here also are accounts that have been created for other domain names and are httpd/unix-directory - agian when i click on these there is nothing inside, even though the actual accounts do have contents e.g full websites.

    These are the files which I am worried, are linked to my cPanel and they all have the permissions set to 0777 which seems kind of scary, also, when I try to change the permissions, it does not work, changes straight back to 777.

    The owner is just root currently.


    Many thanks
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    651
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  5. ambersabre

    ambersabre Member

    Joined:
    Sep 18, 2014
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Untitled-2.png

    Hi, Im really not sure if they are just links, it is very odd.. I have uplodaded a screen shot to show you what I mean. Im using the file manager to view this.

    I have to say also, that I only found this folder while i was doing a back-up to my pc. My antivirus prompted a threat, (a backdoor trojan) originating from the directory they had access to. So when I went to take a look, there were various scripts in there.. Im not very experienced with php but i found references to webroot hack tools, quotes 'you have been hacked', profanity words etc.

    I opened one shtml file in my browser which led me to the WHM login screen. Very confusing and frustrating :/ Im doing my best to make sure my system is secure, but I just cant seem to get my head around this directory and why it seems like there is a window into the actual control panel from this account..

    Thank you for your help

    Amber
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    651
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    It's likely a better idea to review the directory listing via SSH. Also, I suggest consulting with a qualified system administrator if you are concerned about the security of your system.

    Thank you.
     
Loading...

Share This Page