The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PHP Script spamming using Cpanel User

Discussion in 'E-mail Discussions' started by mythosisnz, Oct 29, 2013.

  1. mythosisnz

    mythosisnz Registered

    Joined:
    Oct 29, 2013
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    Hi all,

    My company hosts 4 servers all running Apache cPanel/WHM. I have alerts set up to email us when a cPanel account is spamming. 3 Days ago I got a notification that an account was spamming and I am having trouble taming this beast ever since.

    I have suspended the account while I work. I have used config server to scan and remove the scripts but they keep coming back when i unsuspend. All directory permissions and file permissions are correct at 755 and 644 respectively. They are being placed in the /images/ folder of and old Joomla 1.7 CMS. As I couldn't manage to get the client to upgrade I am stuck trying to fix this issue. I cant stop the scripts from being uploaded so I have tried adding a .htaccess to this folder to stop php scripts from running from here and it didnt work. (long shot i know) :)

    I have tried adding hourly limits to the domain but this didn't work as I believe suPHP is sending the Emails from the cpanel@serverhost user.

    I am running configserver mailscanner FE which usually is pretty good as blocking these beastys but it seems these phishing emails are getting through.

    I have searched a number of forum posts here and I am quickly running out of ideas. Can anyone suggest how I should proceed.

    tldr;
    Old CMS is having scripts uploading to the images folder which I cant stop (only remove manually) and the cpanel@hosting user is spamming from these script which I cant limit using WHM?

    Any solutions or suggestions would be gratefully received.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,472
    Likes Received:
    201
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    He should be forced to update, or move.
     
  3. mythosisnz

    mythosisnz Registered

    Joined:
    Oct 29, 2013
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    I know but actually he is a she and its a kids activity website with all kinds of components hanging off it, it would be too expensive for her to upgrade to joomla 3.0+. I was hoping there would be something I hadn't thought of server side that would allow us to keep her site up and not spam.

    Can i limit/disable the cpanel email account? - This will stop all mail being sent from the site but its better than our server being added to a spam list.

    Or anything else I hadn't thought of? I was really hoping my php_flag engine off in htaccess would work.
     
  4. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    This sounds like an old vulnerable JCE editor.
    Check in file (JOOMLAROOT)/plugins/editors/jce/jce.xml
    you see like:
    <version>1.5.x.y</version>
    when it should be like:
    <version>2.3.3.2</version>
     
  5. mythosisnz

    mythosisnz Registered

    Joined:
    Oct 29, 2013
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    Thanks for reminding me quietFinn! I will check it first thing tomorrow!
     
  6. mythosisnz

    mythosisnz Registered

    Joined:
    Oct 29, 2013
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    TY sir!, seems to have done the trick.

    Removed JCE and XMAPP so far so good.
     
Loading...

Share This Page