Files dropped into empty directories

wiredafrican

Registered
Jun 6, 2018
3
0
1
Australia
cPanel Access Level
Website Owner
Hi All,

I've got an issue with files being put into cpanel directories even though there is nothing in them beforehand.

Hosting provider has done a "root cause analysis" without finding the cause.
A reknowned web security company is also lost as to how they are dropping these files across the folders on my hosting accounting.

We have tried the usual tricks of changing passwords, deleting FTP accounts, putting in htaccess files and index.php files across the website folders, etc.

Everyone has no idea how they are breaching the server security.

Wordfence picks up the usual global php code indicators in the files they are dropping on the server and records some as kidslug backdoors, etc. or that files have been altered and contain malware coding.

Also finding hidden ico files with code in them amongst all the php files they drop across the web directories.

As a test of a theory I had I created two new empty directories. a-test-folder and a-test-folder.com. I wanted to rule out that the breaches were coming from another website directory within public html.

I immediately noticed that the folder without a domain ext does not get files dropped into it.
I suspect they have some way of scanning the folders in the cpanel account looking for those that may contain websites in them and then start dropping files into those folders.

Some files are dropped 3 or more levels deep in the folder structure which makes them harder to find with the eye, Wordfence and Webdefender.

Hosting company refuses to admit there may be a problem on their side and offers the typical "security is your problem" response.

This has been going on for 5 months and we are no closer to finding a way to stop it from happening.

1. Any suggestions?
2. Any scripts or tricks that anyone knows of that will prevent new files being dropped into folders without impacting on the websites that are running in some folders?

I've gotten to the point that this will only go away with the help of someone that luuuuves investigating these sorts of weird issues.
 

wiredafrican

Registered
Jun 6, 2018
3
0
1
Australia
cPanel Access Level
Website Owner
Another thing I've now confirmed is that the files with code inserted inside the files have not had their file date changed. i.e. the Last modified date remains the same even though the file has been changed.