Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Files dropped into empty directories

Discussion in 'Security' started by wiredafrican, Jun 6, 2018.

  1. wiredafrican

    wiredafrican Registered

    Joined:
    Jun 6, 2018
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Australia
    cPanel Access Level:
    Website Owner
    Hi All,

    I've got an issue with files being put into cpanel directories even though there is nothing in them beforehand.

    Hosting provider has done a "root cause analysis" without finding the cause.
    A reknowned web security company is also lost as to how they are dropping these files across the folders on my hosting accounting.

    We have tried the usual tricks of changing passwords, deleting FTP accounts, putting in htaccess files and index.php files across the website folders, etc.

    Everyone has no idea how they are breaching the server security.

    Wordfence picks up the usual global php code indicators in the files they are dropping on the server and records some as kidslug backdoors, etc. or that files have been altered and contain malware coding.

    Also finding hidden ico files with code in them amongst all the php files they drop across the web directories.

    As a test of a theory I had I created two new empty directories. a-test-folder and a-test-folder.com. I wanted to rule out that the breaches were coming from another website directory within public html.

    I immediately noticed that the folder without a domain ext does not get files dropped into it.
    I suspect they have some way of scanning the folders in the cpanel account looking for those that may contain websites in them and then start dropping files into those folders.

    Some files are dropped 3 or more levels deep in the folder structure which makes them harder to find with the eye, Wordfence and Webdefender.

    Hosting company refuses to admit there may be a problem on their side and offers the typical "security is your problem" response.

    This has been going on for 5 months and we are no closer to finding a way to stop it from happening.

    1. Any suggestions?
    2. Any scripts or tricks that anyone knows of that will prevent new files being dropped into folders without impacting on the websites that are running in some folders?

    I've gotten to the point that this will only go away with the help of someone that luuuuves investigating these sorts of weird issues.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,161
    Likes Received:
    370
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    5 months? Time for a new Hosting Provider.

    You should find this script of great use I would think:
    cPanel App Catalog :: ConfigServer eXploit Scanner
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. wiredafrican

    wiredafrican Registered

    Joined:
    Jun 6, 2018
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Australia
    cPanel Access Level:
    Website Owner
    Thanks Infropro but I'm not able to load tools like that onto the hosting company servers and I'm 99% certain that they wouldn't purchase it just for me.
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,161
    Likes Received:
    370
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Agreed. Time to find a more secure WebHost.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. wiredafrican

    wiredafrican Registered

    Joined:
    Jun 6, 2018
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Australia
    cPanel Access Level:
    Website Owner
    Another thing I've now confirmed is that the files with code inserted inside the files have not had their file date changed. i.e. the Last modified date remains the same even though the file has been changed.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice