Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Malicious Spam Scripts

Discussion in 'Security' started by Bashed, Apr 10, 2018.

Tags:
  1. Bashed

    Bashed Well-Known Member

    Joined:
    Dec 18, 2013
    Messages:
    113
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    This happens frequently on various cPanel shared/reseller servers despite my security efforts on multiple levels. I see gibberish named files in php format that are used to send spam. They can be uploaded in various user folders, whether using WordPress or not.

    How do I prevent this?

    Example:
    kfrvrwco.php

    Some Security Measures (incomplete list):
    CloudLinux with Cagefs
    CSF + Config Exploit Scanner
    Bunch of security tweaks set in WHM
    PHP.ini Disabled Functions

    Code:
    root@server [/home/user/public_html/addondomain/wp-includes/random_compat]# ls -lh
    total 164K
    drwxr-xr-x  2 user user 4.0K Apr 10 06:34 ./
    drwxr-xr-x 18 user user  12K Jan 10 18:11 ../
    -rw-r--r--  1 user user 5.6K Mar  8  2016 byte_safe_strings.php
    -rw-r--r--  1 user user 2.5K Mar  8  2016 cast_to_int.php
    -rw-r--r--  1 user user 1.5K Oct 23  2015 error_polyfill.php
    -rw-r--r--  1 user user  85K Nov 26 15:17 kfrvrwco.php
    -rw-r--r--  1 user user 2.6K Jan 18 23:30 random_bytes_com_dotnet.php
    -rw-r--r--  1 user user 4.5K Jan 18 23:30 random_bytes_dev_urandom.php
    -rw-r--r--  1 user user 2.6K Jan 18 23:30 random_bytes_libsodium_legacy.php
    -rw-r--r--  1 user user 2.6K Jan 18 23:30 random_bytes_libsodium.php
    -rw-r--r--  1 user user 2.3K Jan 18 23:30 random_bytes_mcrypt.php
    -rw-r--r--  1 user user 2.6K Jan 18 23:30 random_bytes_openssl.php
    -rw-r--r--  1 user user 5.7K Jan 18 23:30 random_int.php
    -rw-r--r--  1 user user 7.6K Mar  8  2016 random.php
     
  2. HostingH

    HostingH Well-Known Member

    Joined:
    Jan 13, 2008
    Messages:
    126
    Likes Received:
    18
    Trophy Points:
    68
    cPanel Access Level:
    Root Administrator
    ConfigServer eXploit Scanner is best for it, which sent alerts very quickly. If you're using a content manager system (aka "CMS") on your shared hosting, such as WordPress, Joomla or Drupal, check that it's being maintained up to date at all times. This kind of software is widely used on Internet which is why it's often targeted when hackers are trying to take control of a website such as yours.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 HostingH, Apr 11, 2018
    Last edited by a moderator: Apr 11, 2018
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,423
    Likes Received:
    1,957
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    The following document is a good place to start:

    How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation

    As far as actual sending through PHP scripts, ensure the PHP "Mail" function is added to the disable_functions parameter in your PHP configuration. That, combined with the "SMTP Restrictions" feature referenced on the document above should prevent scripts from sending email through PHP.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice