Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED possible malicious files?

Discussion in 'Security' started by jfall123, Dec 19, 2016.

Tags:
  1. jfall123

    jfall123 Well-Known Member

    Joined:
    Oct 31, 2005
    Messages:
    55
    Likes Received:
    2
    Trophy Points:
    158
    I've seen my fair share of hacks/insertions in the past but I came across this on a dedicated clients server today, they brought it to my attention. Server runs latest centos + latest cPanel. Typical csf/modsec config etc.

    They have one cpanel user account with multiple addon domains, mostly wordpress installs. In almost every domain directory there are several randomly generated text files that look like this:

    -rw-r--r-- 1 53 Dec 18 00:17 028366AC0F38DD0FC723179739077490.txt
    -rw-r--r-- 1 53 Dec 14 00:16 34C7BBEF43BB878CB390CB09CD2A1F94.txt
    -rw-r--r-- 1 53 Dec 5 08:54 7FCA994C7A69B3F4E00533C9C1EBDFCB.txt
    -rw-r--r-- 1 53 Dec 13 00:17 9DA998A22F142A977FA11C5871E61674.txt
    -rw-r--r-- 1 53 Dec 8 00:17 A497C30A122C651D3E26F9C179F88B03.txt
    -rw-r--r-- 1 53 Dec 9 00:18 AC4AE8BF3E940C7D76EEA405A212595D.txt
    -rw-r--r-- 1 53 Dec 17 00:17 E6E364E137F4D4341D7777E62E404468.txt

    The text files contain one line of random data in them. For example the first file
    "028366AC0F38DD0FC723179739077490.txt" contains:

    "ac601d4f6a70a6e8281210b9e65852889519dfbc"

    So far I'm not seeing any hits to these files in apache domlogs and I have not yet confirmed how they got there (I don't see anything in ftp logs yet or any other signs of unauthorized access).

    Has anyone come across odd files like this before or can think possibly what they may relate to? The client certainly does not know where they came from either.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,745
    Likes Received:
    312
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. jfall123

    jfall123 Well-Known Member

    Joined:
    Oct 31, 2005
    Messages:
    55
    Likes Received:
    2
    Trophy Points:
    158
    Duh that's totally what it is, autoSSL completely slipped my mind. I hadn't enabled it on their server but it must have gotten turned on by a recent update.
     
    Infopro likes this.
Loading...

Share This Page