SOLVED Can't delete or rename folders, plus infected files keep showing

Operating System & Version
CENTOS 7.9
cPanel & WHM Version
92.0.10

psytanium

Well-Known Member
Jun 6, 2014
297
16
68
Lebanon
cPanel Access Level
Root Administrator
Hello,

I really need some help with this :
  1. I can't empty the trash bin in File Manager
  2. I can't rename or delete some folders, I get this message: FileOp Failure: Failed to move 'Grande Salle' to trash (System Error: No such file or directory)
  3. Every day at 7 pm, lots of files are modified automatically, if they contain URL's, they are change to a pornographic and viagra pills URL.
I tried to replace the website with clean files from my HDD, platform and plugins updated, also tried to change Database and cPanel passwrods.

I need some help with this please.

Thanks in advance.
 

ZenHostingTravis

Well-Known Member
PartnerNOC
May 22, 2020
275
95
28
Australia
cPanel Access Level
Root Administrator
If it's just one infected account, it's best to restore from a clean backup (that's why it's so important to take regular backups) and then work to update the website and platform and so on.

If the whole server is compromised, you should re-install it from the clean backups.
 

psytanium

Well-Known Member
Jun 6, 2014
297
16
68
Lebanon
cPanel Access Level
Root Administrator
If it's just one infected account, it's best to restore from a clean backup (that's why it's so important to take regular backups) and then work to update the website and platform and so on.

If the whole server is compromised, you should re-install it from the clean backups.
Only 1 user infected, other 70 account are clean. But what do you mean by restore ? Terminate the user and recreate it ? Files and emails and stats and databases ?? Hope there is more peaceful way for this issue.

Please I need your support because its a school website, students browsing mature content. This is inappropriate
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,027
313
cPanel Access Level
Root Administrator
If something is automatically creating content at a certain time, it sounds likely that there is a malicious script on the domain that executes at that time. The best way to take care of this problem permanently would be what @ZenHostingTravis said - restore the entire site from a known-good backup.

If you don't have a backup of the site available, you may need to work with a professional administrator to see if the site can be cleaned by someone who is familiar with security and account compromises. I would also recommend scanning the personal computer of any admin that may have had access to the site, as keylogging malware is a common way to steal passwords and get access.
 

psytanium

Well-Known Member
Jun 6, 2014
297
16
68
Lebanon
cPanel Access Level
Root Administrator
If something is automatically creating content at a certain time, it sounds likely that there is a malicious script on the domain that executes at that time. The best way to take care of this problem permanently would be what @ZenHostingTravis said - restore the entire site from a known-good backup.

If you don't have a backup of the site available, you may need to work with a professional administrator to see if the site can be cleaned by someone who is familiar with security and account compromises. I would also recommend scanning the personal computer of any admin that may have had access to the site, as keylogging malware is a common way to steal passwords and get access.
Thank you for your input, those are the precautions I took :

  1. Upload clean backup of the website and app, but this procedure exclude databases and new uploads like images and PDFs.
  2. Searched databases for the Porn URL and I found only 1, now cleared.
  3. Changed the Passwords using Generated passwords.
  4. Now I'm deleting the folders and clearing Trash with FTP client like FZ
Have 2 questions :
  1. But why I can't delete or rename folders from File Manager ?
  2. Any further precaustions steps you can add ?
Thanks again
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,027
313
cPanel Access Level
Root Administrator
There could be any number of reasons it's not working well from File Manager. Can you see what permissions and ownership the file(s) has that you can't delete?

It's always hard to recommend precautions. If you're using something like WordPress for the site, it's best to keep it and all plugins up-to-date to avoid these issues.
 

psytanium

Well-Known Member
Jun 6, 2014
297
16
68
Lebanon
cPanel Access Level
Root Administrator
There could be any number of reasons it's not working well from File Manager. Can you see what permissions and ownership the file(s) has that you can't delete?

It's always hard to recommend precautions. If you're using something like WordPress for the site, it's best to keep it and all plugins up-to-date to avoid these issues.
Yes, now updating the plugins from of the backups.

Permission : 0755

How do I see the ownership of those sticky folders ?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,027
313
cPanel Access Level
Root Administrator
It depends on your FTP client - some may not show that.

It might be best to use an SSH connection to see the ownership as that doesn't show up in the File Manager either. We have a guide on using SSH here which you may find helpful if you aren't familiar with that tool:

 

psytanium

Well-Known Member
Jun 6, 2014
297
16
68
Lebanon
cPanel Access Level
Root Administrator
It depends on your FTP client - some may not show that.

It might be best to use an SSH connection to see the ownership as that doesn't show up in the File Manager either. We have a guide on using SSH here which you may find helpful if you aren't familiar with that tool:

Thanks for the help :)

Owner / Group of all folders, sticky and healthy, 1112 / 1114
 

psytanium

Well-Known Member
Jun 6, 2014
297
16
68
Lebanon
cPanel Access Level
Root Administrator
As long as that's the correct cPanel user, that wouldn't be the issue then. Do the items you're trying to delete also show up in SSH? If so, them I'm not sure why they could be removed through file manager.
I use Terminal in WHM to SSH, I browsed this infected user, the sticky folders are there. Any suggestion why I can't remove them from File Manager ? This is the error I get :
Code:
FileOp Failure on: /home/user/public_html/path/Grande Salle: No such file or directory
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,027
313
cPanel Access Level
Root Administrator
Can you run these commands from the Terminal application to get more details on that file?

Code:
ls -lah /home/user/public_html/path/Grande Salle
lsattr /home/user/public_html/path/Grande Salle
It may help to tab-complete those file names so the space is properly executed in bash.
 

psytanium

Well-Known Member
Jun 6, 2014
297
16
68
Lebanon
cPanel Access Level
Root Administrator
Can you run these commands from the Terminal application to get more details on that file?

Code:
ls -lah /home/user/public_html/path/Grande Salle
lsattr /home/user/public_html/path/Grande Salle
It may help to tab-complete those file names so the space is properly executed in bash.
Code:
total 288K
drwxr-xr-x 5 user user  135 Jul 18  2020 .
drwxr-xr-x 9 user user  153 Feb 12 15:15 ..
-rw-r--r-- 1 user user 1.3K Sep 13  2019 index.html
drwxr-xr-x 4 user user  105 Jul 18  2020 panos
drwxr-xr-x 2 user user 4.0K Jul 18  2020 plugins
drwxr-xr-x 2 user user 4.0K Jul 18  2020 skin
-rw-r--r-- 1 user user 2.2K Sep 13  2019 tour_editor.html
-rw-r--r-- 1 user user 158K Sep 13  2019 tour.js
-rw-r--r-- 1 user user 106K Sep 13  2019 tour.swf
-rw-r--r-- 1 user user 2.2K Sep 13  2019 tour.xml
and ..

Code:
[[email protected] v105]# lsattr /home/user/public_html/v105/3_2\ Grande\ Salle\ du\ Coll�ge/
---------------- /home/user/public_html/v105/3_2 Grande Salle du Coll�ge/index.html
---------------- /home/user/public_html/v105/3_2 Grande Salle du Coll�ge/panos
---------------- /home/user/public_html/v105/3_2 Grande Salle du Coll�ge/plugins
---------------- /home/user/public_html/v105/3_2 Grande Salle du Coll�ge/skin
---------------- /home/user/public_html/v105/3_2 Grande Salle du Coll�ge/tour.js
---------------- /home/user/public_html/v105/3_2 Grande Salle du Coll�ge/tour.swf
---------------- /home/user/public_html/v105/3_2 Grande Salle du Coll�ge/tour.xml
---------------- /home/user/public_html/v105/3_2 Grande Salle du Coll�ge/tour_editor.html
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,027
313
cPanel Access Level
Root Administrator
That all looks normal to me, so I'm not sure why the removal through File Manager wouldn't work well. The only guess I have would be that the file didn't exist by the time you accessed it in the interface since it was being manipulated by the malicious script, but that is a complete guess.
 

psytanium

Well-Known Member
Jun 6, 2014
297
16
68
Lebanon
cPanel Access Level
Root Administrator
That all looks normal to me, so I'm not sure why the removal through File Manager wouldn't work well. The only guess I have would be that the file didn't exist by the time you accessed it in the interface since it was being manipulated by the malicious script, but that is a complete guess.
I'm afraid I have to destroy the user account and restore everything, emails, database, etc.. if you have other possibilities to share plz let me know.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,027
313
cPanel Access Level
Root Administrator
For this situation I do agree restoring a backup would be the best way to ensure there is no more malicious code present on the site.

In the user example you provided, the different group ID would indicate the group ownership is the Apache "nobody" user, which is normal for the public_html directory to have depending on the server settings and PHP handler.
 

psytanium

Well-Known Member
Jun 6, 2014
297
16
68
Lebanon
cPanel Access Level
Root Administrator
For this situation I do agree restoring a backup would be the best way to ensure there is no more malicious code present on the site.

In the user example you provided, the different group ID would indicate the group ownership is the Apache "nobody" user, which is normal for the public_html directory to have depending on the server settings and PHP handler.
Why all directories have the User / Group 1112 / 1114, but only 1 folder have this Owner Group 1112 / 99 ?? I'm afraid someone created the app also create a special permission to modify the account directories. Because this developer worked only on this 1112 / 99 folder and the deal didn't end up peacefully with him.
 

psytanium

Well-Known Member
Jun 6, 2014
297
16
68
Lebanon
cPanel Access Level
Root Administrator
Anyway, I restored everything and still cannot delete or rename a folder. i tried to simply delete the twentytwenty theme from a fresh wordpress install.. still having the same problem.

Code:
FileOp Failure on: /home/user/public_html/wp-content/themes/twentytwenty: No such file or directory
Could this be something related to cPanel configuration ? rather than something malicious.