PHP Script spamming using Cpanel User

mythosisnz

Registered
Oct 29, 2013
4
0
1
cPanel Access Level
Reseller Owner
Hi all,

My company hosts 4 servers all running Apache cPanel/WHM. I have alerts set up to email us when a cPanel account is spamming. 3 Days ago I got a notification that an account was spamming and I am having trouble taming this beast ever since.

I have suspended the account while I work. I have used config server to scan and remove the scripts but they keep coming back when i unsuspend. All directory permissions and file permissions are correct at 755 and 644 respectively. They are being placed in the /images/ folder of and old Joomla 1.7 CMS. As I couldn't manage to get the client to upgrade I am stuck trying to fix this issue. I cant stop the scripts from being uploaded so I have tried adding a .htaccess to this folder to stop php scripts from running from here and it didnt work. (long shot i know) :)

I have tried adding hourly limits to the domain but this didn't work as I believe suPHP is sending the Emails from the [email protected] user.

I am running configserver mailscanner FE which usually is pretty good as blocking these beastys but it seems these phishing emails are getting through.

I have searched a number of forum posts here and I am quickly running out of ideas. Can anyone suggest how I should proceed.

tldr;
Old CMS is having scripts uploading to the images folder which I cant stop (only remove manually) and the [email protected] user is spamming from these script which I cant limit using WHM?

Any solutions or suggestions would be gratefully received.
 

mythosisnz

Registered
Oct 29, 2013
4
0
1
cPanel Access Level
Reseller Owner
I know but actually he is a she and its a kids activity website with all kinds of components hanging off it, it would be too expensive for her to upgrade to joomla 3.0+. I was hoping there would be something I hadn't thought of server side that would allow us to keep her site up and not spam.

Can i limit/disable the cpanel email account? - This will stop all mail being sent from the site but its better than our server being added to a spam list.

Or anything else I hadn't thought of? I was really hoping my php_flag engine off in htaccess would work.
 

quietFinn

Well-Known Member
Feb 4, 2006
1,222
87
178
Finland
cPanel Access Level
Root Administrator
They are being placed in the /images/ folder of and old Joomla 1.7 CMS.
This sounds like an old vulnerable JCE editor.
Check in file (JOOMLAROOT)/plugins/editors/jce/jce.xml
you see like:
<version>1.5.x.y</version>
when it should be like:
<version>2.3.3.2</version>
 

mythosisnz

Registered
Oct 29, 2013
4
0
1
cPanel Access Level
Reseller Owner
This sounds like an old vulnerable JCE editor.
Check in file (JOOMLAROOT)/plugins/editors/jce/jce.xml
you see like:
<version>1.5.x.y</version>
when it should be like:
<version>2.3.3.2</version>
TY sir!, seems to have done the trick.

Removed JCE and XMAPP so far so good.