The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mosta.php & mailbombing

Discussion in 'Security' started by profilnet, Apr 28, 2013.

  1. profilnet

    profilnet Member

    Joined:
    Apr 28, 2013
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi everyone,

    I have a rootserver, and I have installed ClamAV, CSF, LMD so as to prevent attacks and remove any malicious file. I have like 30 clients in my server and I have observed that there are some mosta.php which i remove them manually, but after a day they reappear.

    Also, in public_html folders of my clients i have found bb2.html and pp.html files which actually mailbomb the web, and my server's IP is being blacklisted by spamhaus, lashback etc ..i clean these files everyday and the following day they appear again.

    Any advice?
     
    #1 profilnet, Apr 28, 2013
    Last edited: Apr 28, 2013
  2. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    You must find out how those files are uploaded.

    If FTP is used you see it in /var/log/messages

    If some website vulnerability is used you should see signs of it in domain's access log:
    /usr/local/apache/domlogs/CPANELUSERNAME/domain.tld

    If cPanel file manager is used you must check:
    /usr/local/cpanel/logs/access_log
     
  3. profilnet

    profilnet Member

    Joined:
    Apr 28, 2013
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks,

    once i find from the logs ..whats the next step? what should i do?
     
  4. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    If FTP or cPanel file manager was used and the IP is not your customer's IP then 1st you change the password and ask your customer to scan thoroughly their PC. Most likely there is virus/malware/spyware in their computer.

    If it's a vulnerability in the website then you must find out what it is and how to fix it.
     
Loading...

Share This Page