Bashed

Well-Known Member
Dec 18, 2013
124
4
18
cPanel Access Level
Root Administrator
This happens frequently on various cPanel shared/reseller servers despite my security efforts on multiple levels. I see gibberish named files in php format that are used to send spam. They can be uploaded in various user folders, whether using WordPress or not.

How do I prevent this?

Example:
kfrvrwco.php

Some Security Measures (incomplete list):
CloudLinux with Cagefs
CSF + Config Exploit Scanner
Bunch of security tweaks set in WHM
PHP.ini Disabled Functions

Code:
[email protected] [/home/user/public_html/addondomain/wp-includes/random_compat]# ls -lh
total 164K
drwxr-xr-x  2 user user 4.0K Apr 10 06:34 ./
drwxr-xr-x 18 user user  12K Jan 10 18:11 ../
-rw-r--r--  1 user user 5.6K Mar  8  2016 byte_safe_strings.php
-rw-r--r--  1 user user 2.5K Mar  8  2016 cast_to_int.php
-rw-r--r--  1 user user 1.5K Oct 23  2015 error_polyfill.php
-rw-r--r--  1 user user  85K Nov 26 15:17 kfrvrwco.php
-rw-r--r--  1 user user 2.6K Jan 18 23:30 random_bytes_com_dotnet.php
-rw-r--r--  1 user user 4.5K Jan 18 23:30 random_bytes_dev_urandom.php
-rw-r--r--  1 user user 2.6K Jan 18 23:30 random_bytes_libsodium_legacy.php
-rw-r--r--  1 user user 2.6K Jan 18 23:30 random_bytes_libsodium.php
-rw-r--r--  1 user user 2.3K Jan 18 23:30 random_bytes_mcrypt.php
-rw-r--r--  1 user user 2.6K Jan 18 23:30 random_bytes_openssl.php
-rw-r--r--  1 user user 5.7K Jan 18 23:30 random_int.php
-rw-r--r--  1 user user 7.6K Mar  8  2016 random.php
 

HostingH

Well-Known Member
Jan 13, 2008
125
17
68
cPanel Access Level
Root Administrator
ConfigServer eXploit Scanner is best for it, which sent alerts very quickly. If you're using a content manager system (aka "CMS") on your shared hosting, such as WordPress, Joomla or Drupal, check that it's being maintained up to date at all times. This kind of software is widely used on Internet which is why it's often targeted when hackers are trying to take control of a website such as yours.
 
Last edited by a moderator:

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hello,

The following document is a good place to start:

How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation

As far as actual sending through PHP scripts, ensure the PHP "Mail" function is added to the disable_functions parameter in your PHP configuration. That, combined with the "SMTP Restrictions" feature referenced on the document above should prevent scripts from sending email through PHP.

Thank you.