The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to locate how file was uploaded

Discussion in 'Security' started by skysel, Feb 14, 2011.

  1. skysel

    skysel Member

    Joined:
    Nov 30, 2010
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    recent weeks I'm finding few sites constantly attacked/hacked. Luckily, maldetect is there to save the day.

    I want to block such further attacks (either IP or tweak apache security). Any help appreciated.

    Code:
    malware detect scan report for newhope.afektnet.net:
    SCAN ID: 021311-0402.4962
    TIME: Feb 13 04:16:06 +0100
    PATH: /home*/*/public_html
    RANGE: 2 days
    TOTAL FILES: 4543
    TOTAL HITS: 2
    TOTAL CLEANED: 1
    
    CLEANED & RESTORED FILES:
    /home/lamamic/public_html/admin/images/upld/mk9.php
    
    FILE HIT LIST:
    {HEX}gzbase64.inject.unclassed.14 : /home/lamamic/public_html/admin/images/upld/mk9.php => /usr/local/maldetect/quarantine/mk9.php.31881
    {MD5}php.cmdshell.r57.1777 : /home/mobiraj/public_html/images/kagdkv.php => /usr/local/maldetect/quarantine/kagdkv.php.14481
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Just guessing of course, but:
    /home/lamamic/public_html/admin/images/upld/mk9.php

    There appears to be a directory called upld/ in the admin/images/ directory. Was this directory created when the account was compromised or does this site have some sort of an upload script for images that the admin account can use?

    I think I'd want to check the site software being used to make sure it was up to date and secure. And if that software comes with some sort of upload or file manager script disable it unless needed. Also check the admins password and make sure it was very hard to guess. If your server is not running SuPHP you might look into that as well as a good firewall: ConfigServer Security & Firewall
     
  3. skysel

    skysel Member

    Joined:
    Nov 30, 2010
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    It was created when site was compromised. I will check what the site runs.

    I have PHP5 handler DSO and PHP4 CGI and Apache suEXEC is set to ON.

    I cannot turn on SuPHP, since 90% of customer sites won't work anymore after that.

    I am running CSF for quite some time now, did some tweaks. Any specific you have in mind perhaps? I also banned whole China and countries like that, since most attacks originate from there and customers are mostly local to our country.
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Good place to start.

    Without knowing more about those sites I can't comment other than to say most problems related to SuPHP can be sorted and having directories not writable by "nobody" can help make the server more secure.

    A good place to start from might be: WHM > CSF > Firewall Security Level > High, save, restart firewall.
     
  5. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello,

    I did want to address this point:

    You can troubleshoot the reasons they don't work and get them working with a few simple commands most times. I have a guide (posted previously as my non-staff account) that I did on most the commands needed to get the sites working at this location:

    Switching to suPHP

    If you pre-inform your users about switching to suPHP beforehand, pick a time when it will be slower, and then open a ticket with us to ask for assistance in the switch (we can help you once you switch in troubleshooting errors on sites that don't work), then you could definitely make the change. It's certainly up to you, but many other server administrators and hosts have switched to suPHP over DSO. suPHP is now the default we provide with any new cPanel installation.

    For any site errors, please note you can tail the Apache error log while loading the site to see the exact error it returns on switching to suPHP:

    Code:
    tail -f /usr/local/apache/logs/error_log
    This is also helpful after running the conversion commands to see if any sites are still having issues working.

    Thanks.
     
Loading...

Share This Page