The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Malicious php script keeps coming back.

Discussion in 'Security' started by dmacomber, Nov 12, 2014.

  1. dmacomber

    dmacomber Member

    Joined:
    Oct 9, 2014
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi,

    I have a malicious script /home/MySite/public_html/sites/all/modules/references/menu87.php that sends out spam from a non-existent email address from my domain.

    I delete it and a few days later, its back sending out spam. I have no idea how to make it stop coming back. Can anyone help?

    I have WHM and cPanel access.

    D-
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    You need to take the timestamps of the file (stat command on the file, i.e. stat file.php) and then reference those to the log files. In most cases, your answer lies in the Apache domain access logs in /home/user/access_logs or /home/user/logs if you have log retention enabled.

    Most likely there is a vulnerable plugin, or other unwanted php file, being used to re-upload the one your finding. Until you find that it will keep coming back.
     
  3. dmacomber

    dmacomber Member

    Joined:
    Oct 9, 2014
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Quizknows,

    Thanks for the info. I found over 800 entries for November in the log for the PHP script from the same IP. I couldn't get the stat for the file since I deleted it. I guess I could block the IP. Is there any thing else I should look for?

    Code:
    146.185.X.X - - [12/Nov/2014:07:15:22 -0500] "POST /sites/all/modules/references/menu87.php HTTP/1.1" 404 29365 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0"
     
    #3 dmacomber, Nov 12, 2014
    Last edited by a moderator: Nov 12, 2014
  4. Brian

    Brian Well-Known Member

    Joined:
    Dec 1, 2010
    Messages:
    117
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Blocking the IP would simply be addressing the symptom (the file existing), and not the cause (how the file is getting there). Basically, if you block the IP than anyone else can still leverage whatever the exploit is that's being used and put it or any other file back in place.

    You need to determine the *how*. What script vulnerability or software vulnerability exists that is allowing someone to deploy a custom script in your directory?

    This is a tough question to answer, especially when you realize that someone with that level of access could have also deployed their own backdoor that you don't know about into your account. Meaning, if you DO somehow find and fix the origin exploit, they may have their own backdoor so that they can still continue to exploit your account unaffected.

    The "ideal" situation that I tend to recommend to anyone experiencing this behavior is to start fresh with brand new installs of whatever scripts are on your account.

    Setup a new fresh account, deploy NEW installs of scripts on it again (WordPress, phpBB, etc. Whatever you're using) and restore from known good MySQL backups of those scripts. Then, make sure all scripts are up-to-date and security patched. Do NOT pull forward any files from the old account, as you risk bringing forward the vulnerabilities or potential backdoors.

    It's certainly less time consuming than trying to trace back through to the precise code block(s) of whatever script(s) are being abused, and you also reasonably address the risk of bringing forward any backdoors. it does, however, require a decent amount of time and effort.

    I know this may not be the answer you're looking for, but keep in mind every day this goes unaddressed is a day that potentially 100% of your data in that account is wide open to being accessed by one or more persons. Keeping all of your scripts updated and security patched along with the versions of Apache and PHP that you operate is your best bet to prevent this from happening again (once you perform all the fresh install/deployments to address the matter).
     
Loading...

Share This Page