mosta.php & mailbombing

[profilnet]

Hi everyone,

I have a rootserver, and I have installed ClamAV, CSF, LMD so as to prevent attacks and remove any malicious file. I have like 30 clients in my server and I have observed that there are some mosta.php which i remove them manually, but after a day they reappear.

Also, in public_html folders of my clients i have found bb2.html and pp.html files which actually mailbomb the web, and my server's IP is being blacklisted by spamhaus, lashback etc ..i clean these files everyday and the following day they appear again.

Any advice?

 

[quietFinn]

You must find out how those files are uploaded.

If FTP is used you see it in /var/log/messages

If some website vulnerability is used you should see signs of it in domain's access log:
/usr/local/apache/domlogs/CPANELUSERNAME/domain.tld

If cPanel file manager is used you must check:
/usr/local/cpanel/logs/access_log

 

[profilnet]

Thanks,

once i find from the logs ..whats the next step? what should i do?

 

[quietFinn]

If FTP or cPanel file manager was used and the IP is not your customer's IP then 1st you change the password and ask your customer to scan thoroughly their PC. Most likely there is virus/malware/spyware in their computer.

If it's a vulnerability in the website then you must find out what it is and how to fix it.