Potential malicious activity question

RPmentor · Aug 12, 2023

I joined this forum in June 2020 and now that I have an issue, I'm hoping its resolution will be of some help to others...

My hosting provider has alerted me to ' malicious activity detected on my account'... I do have access to the file manager and I have found a number of .htaccess file with recent creation dates... is it possible that these files have somehow been added by an automatic cPanel routine..??

I'm appending a screenprint of an .htaccess file which does not appear to be malicious and will be grateful for any suggestions about what may have transpired... thank you...

cPRex · Aug 14, 2023

Hey there! I have a couple thoughts on this.

The top section isn't something we would control, as that would be added by the site admin or software installed on the domain.

The bottom section, as mentioned in the comments, is controlled by cPanel, so it's normal for us to automatically update that file on the system from time to time.

Is your site using PHP 5.4? If so, if that server using alt-php through CloudLinux? PHP 5.4 has been End of Life since September 2015, so I wouldn't recommend using that on any production site, and having that old version could be the source of the compromise.

RPmentor · Aug 21, 2023

cPRex said:
Is your site using PHP 5.4?

All domains are using PHP 8.0 (ea-php80), except for the two main domains which are using PHP 7.4 (ea-php74)...

Some of the domains were using PHP 5.4 (ea-php54) before I was alerted to malicious activity and I have updated these to PHP 8.0 (ea-php80) since I received the 'malicious activity detected on my account' message... is this likely to have resolved my issue..??

quietFinn · Aug 21, 2023

RPmentor said:
Some of the domains were using PHP 5.4 (ea-php54) before I was alerted to malicious activity and I have updated these to PHP 8.0 (ea-php80) since I received the 'malicious activity detected on my account' message... is this likely to have resolved my issue..??

Most likely not, it might stop future hacks, but unless you find all the malicious code you are still in danger.

ResellerWiz · Aug 21, 2023

The htaccess file you showed does not appear to have anything "mailicious" in it.

I think your host needs to be more specific as to what malicious activity is occurring to give you a better idea of what you should be looking for.

RPmentor · Aug 21, 2023

ResellerWiz said:
I think your host needs to be more specific as to what malicious activity is occurring to give you a better idea of what you should be looking for.

I'll need to sign up for their security offering because I can see no other way that they'll remove the block on the website... as @quietFinn says (above), maybe there is some malicious code somewhere...!!!!!!!

ResellerWiz · Aug 21, 2023

RPmentor said:
I'll need to sign up for their security offering because I can see no other way that they'll remove the block on the website... as @quietFinn says (above), maybe there is some malicious code somewhere...!!!!!!!

You shouldn't have to pay extra for a "security offering".

Hosting providers that nickel and dime you for security/backups/SSL by referring to them as "addon services/products" should be avoided like the plague.

cPRex · Aug 21, 2023

They should at least be able to tell you how they found the issue and point you in the right direction, such as to a specific webpage or file.

RPmentor · Aug 22, 2023

cPRex said:
They should at least be able to tell you how they found the issue and point you in the right direction, such as to a specific webpage or file.

This is certainly what I had hoped for, however, the support people probably do not have enough specialist knowledge to do more than recommend their security add-on which is provided by Sucuri at £5.99 pcm...

RPmentor · Aug 22, 2023

ResellerWiz said:
I think your host needs to be more specific as to what malicious activity is occurring to give you a better idea of what you should be looking for.

What about the appended text file generated yesterday... is there anything suspicious in it, please...?

ResellerWiz · Aug 22, 2023

RPmentor said:
What about the appended text file generated yesterday... is there anything suspicious in it, please...?

That appears to be nothing more than a session token and not malicious.

ITHKBO · Aug 23, 2023

Have you tried running the domain through ImunifyAV or is that not a option in your cPanel account?
You can do a quickscan online at Sucuri from Sucuri Security These scans do not cost anything.

That should give a indication if there is a url hijack going on. It can't find more obscure stuff without access to the site itself but if there are malicious redirects going on that is the first spot we always check for our clients. Make sure to scan per page.

hgonzale3 · Sep 4, 2023

I am having the same issue, even in a Webpage that is only with HTML...... Many files created, emails created... How is this possible?

cPRex · Sep 5, 2023

@hgonzale3 - If you only have access to cPanel, you'll have to work with your host to determine why there is a security issue on the account.

Thread starter	Similar threads	Forum	Replies	Date
N	HELP: Potential reduced AutoSSL coverage	Security	3	Jul 12, 2021
	SOLVED Potential reduced AutoSSL coverage	Security	7	Nov 14, 2018
B	Potential reduced AutoSSL coverage for subdomain that doesn't exist?	Security	4	Sep 16, 2018
	Is there anything which would block potential web hacker	Security	11	Apr 23, 2015
G	Help with Finding Disk Exceeded Error and Potential Hacker	Security	6	Dec 14, 2014

Search

Search

Potential malicious activity question

RPmentor

Member

Attachments

cPRex

Jurassic Moderator

RPmentor

Member

quietFinn

Well-Known Member

ResellerWiz

Well-Known Member

RPmentor

Member

ResellerWiz

Well-Known Member

cPRex

Jurassic Moderator

RPmentor

Member

RPmentor

Member

Attachments

ResellerWiz

Well-Known Member

ITHKBO

Active Member

hgonzale3

Member

cPRex

Jurassic Moderator