The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Find out how file was uploaded? Which logs?

Discussion in 'Security' started by Forcerdj, Oct 3, 2016.

  1. Forcerdj

    Forcerdj Well-Known Member

    Joined:
    Nov 30, 2009
    Messages:
    60
    Likes Received:
    1
    Trophy Points:
    8
    Hi,

    One of my clients WordPress is hacked daily, random .php file are uploaded to send mail spam. I am quick to delete the problematic code but it comes back the next day.

    We are changing passwords, updating plugins, etc.. but can't pin point the problem.

    I am wondering if it is possible to see how the .php files are being injected? how they are being added to the account? I'm assuming through some injection in rubbish code, but i can't find it anywhere, would the logs help me see where it's coming from? if so, where can i find the log? thanks
     
  2. Forcerdj

    Forcerdj Well-Known Member

    Joined:
    Nov 30, 2009
    Messages:
    60
    Likes Received:
    1
    Trophy Points:
    8
    Thanks for this, I have been looking for some valuable information inside /usr/local/apache/domlogs/$domain I can see uploaded files being accessed but no indication of how it actually got there.

    We have pretty much re-installed all plugins, Wordpress, removed ALOT of stuff, went through files manually, yet some how a file keeps re-appearing.

    I setup a cron to check for the file every minute and it is auto deleted... this has helped but not really fixing the problem... we must have a script or something on the server that is allowing a backdoor to the account.

    Surely there is a way to find out how?
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,667
    Likes Received:
    646
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Have you reset the passwords to the cPanel account, and any FTP accounts with access to upload files to that location? If so, you may need to consult with a qualified system administrator to further investigate what's happening. You can find a list of system administrative services at:

    System Administration Services | cPanel Forums

    Thank you.
     
  4. hrace009

    hrace009 Well-Known Member

    Joined:
    Dec 24, 2013
    Messages:
    68
    Likes Received:
    8
    Trophy Points:
    8
    Location:
    Root
    cPanel Access Level:
    Root Administrator
    Twitter:
    It will be useless to searching it by IP, since most of Hacker's / Defacer using dynamic IP's or they using proxy, there is so many free proxy over there.
    You should think to use CXS for that and costume your cxs.xtra to match the regex, there is plenty usefull regex on ConfigServer forum, and don't forget to use OWASP and whitelist the ID.
    Or for better choice, use CloudLinux, but it still depend on your configuration.
     
    cPanelMichael likes this.
Loading...

Share This Page