profilnet

Member
Apr 28, 2013
6
0
1
cPanel Access Level
Root Administrator
Hi everyone,

I have a rootserver, and I have installed ClamAV, CSF, LMD so as to prevent attacks and remove any malicious file. I have like 30 clients in my server and I have observed that there are some mosta.php which i remove them manually, but after a day they reappear.

Also, in public_html folders of my clients i have found bb2.html and pp.html files which actually mailbomb the web, and my server's IP is being blacklisted by spamhaus, lashback etc ..i clean these files everyday and the following day they appear again.

Any advice?
 
Last edited:

quietFinn

Well-Known Member
Feb 4, 2006
1,222
87
178
Finland
cPanel Access Level
Root Administrator
You must find out how those files are uploaded.

If FTP is used you see it in /var/log/messages

If some website vulnerability is used you should see signs of it in domain's access log:
/usr/local/apache/domlogs/CPANELUSERNAME/domain.tld

If cPanel file manager is used you must check:
/usr/local/cpanel/logs/access_log
 

quietFinn

Well-Known Member
Feb 4, 2006
1,222
87
178
Finland
cPanel Access Level
Root Administrator
If FTP or cPanel file manager was used and the IP is not your customer's IP then 1st you change the password and ask your customer to scan thoroughly their PC. Most likely there is virus/malware/spyware in their computer.

If it's a vulnerability in the website then you must find out what it is and how to fix it.