Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Prevent PHP Scripts from being executed

Discussion in 'Security' started by Alain Bensimon, Mar 20, 2019.

  1. Alain Bensimon

    Alain Bensimon Member

    Joined:
    Apr 23, 2017
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    Everyday I get this type of alerts from my CSF/LFD.
    Code:
    -------------------------------------------------------------------
Time:         Wed Mar 20 09:08:27 2019 -0400
Account:      mvandammeadmin
Resource:    Virtual Memory Size
Exceeded:     480 > 400 (MB)
Executable:  /opt/cpanel/ea-php56/root/usr/bin/php-cgi
Command Line: /opt/cpanel/ea-php56/root/usr/bin/php-cgi
PID:          17598 (Parent PID:4946)
Killed:       No
-------------------------------------------------------------------
    It executes some PHP scripts even though some of these users don't even have a website so no PHP enabled.
    I suspect they use it to send spam from my server.
    I've been making some scans with maldet, and it always finds some threats like below.
    I've deleted the quarantine as well, but they always come back.
    How can I
    1. Get rid of them
    2. Prevent these users to execute PHP scripts
    Code:
    -------------------------------------------------------------------
PATH:       
TOTAL FILES:  624239
TOTAL HITS:    13
TOTAL CLEANED: 0
FILE HIT LIST:
{HEX}php.malware.magento.594 : /home/labellev/logs/example.net-Mar-2019.gz => /usr/local/maldetect/quarantine/example.net-Mar-2019.gz.1351819726
{HEX}php.malware.magento.594 : /home/gruadmin/logs/gruman.be-Mar-2019.gz => /usr/local/maldetect/quarantine/examplen.be-Mar-2019.gz.253081703
HEX}php.malware.magento.594 : /home/pitadmin/logs/example.org-Mar-2019.gz => /usr/local/maldetect/quarantine/example.org-Mar-2019.gz.2465528531
{CAV}Win.Malware.Tspy-6881358-0 : /home/noureddine/mail/new/1510582942.M291710P29496.host.example.com,S=723485,W=732951 => /usr/local/maldetect/quarantine/1510582942.M291710P29496.host.example.com,S=723485,W=732951.901425328
{HEX}php.malware.magento.594 : /home/bswiadmin/logs/bswi.org-Mar-2019.gz => /usr/local/maldetect/quarantine/example.org-Mar-2019.gz.614021638
{HEX}php.malware.magento.594 : /home/belilanadmin/logs/example.com-Mar-2019.gz => /usr/local/maldetect/quarantine/example.com-Mar-2019.gz.1486125888
{HEX}php.malware.magento.594 : /home/cofigestionadmin/logs/example.x-Mar-2019.gz => /usr/local/maldetect/quarantine/example.x-Mar-2019.gz.1505625503
{CAV}Win.Dropper.Noon-6859637-0 : /home/abscompadmin/mail/example.tld/bens7361/new/1550059523.M898897P13920.host.example.com,S=356673,W=362542 => /usr/local/maldetect/quarantine/1550059523.M898897P13920.host.example.com,S=356673,W=362542.124011249
{CAV}Doc.Dropper.Agent-6894268-0 : /home/tactical5/mail/new/1536953117.M439893P10375.host.example.com,S=54107,W=54843 => /usr/local/maldetect/quarantine/1536953117.M439893P10375.host.example.com,S=54107,W=54843.2397617671
{CAV}Rtf.Exploit.CVE_2018_0802-6825822-0 : /home/tactical5/mail/new/1526991608.M30806P16669.host.example.com,S=40566,W=41146 => /usr/local/maldetect/quarantine/1526991608.M30806P16669.host.example.com,S=40566,W=41146.25329486
{CAV}Rtf.Dropper.Agent-6857133-0 : /home/tactical5/mail/example.0/simon/new/1544467112.M472641P9416.host.example.com,S=69343,W=70316 => /usr/local/maldetect/quarantine/1544467112.M472641P9416.host.example.com,S=69343,W=70316.2357125895

{HEX}php.malware.magento.594 : /home/eukoshermen/logs/example.eu-Mar-2019.gz => /usr/local/maldetect/quarantine/example.eu-Mar-2019.gz.571425162

{HEX}php.malware.magento.594 : /home/kriwinadmin/logs/example.be-Mar-2019.gz => /usr/local/maldetect/quarantine/example.be-Mar-2019.gz.56134332
     
    #1 Alain Bensimon, Mar 20, 2019
    Last edited by a moderator: Mar 20, 2019
  2. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,466
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello @Alain Bensimon

    Ultimately you'll need to audit the files within your users home directories. If they don't have sites it should make it easier. I'd suggest enlisting the assistance of a qualified system administrator. If you don't have one you might find one here: System Administration Services | cPanel Forums

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 cPanelLauren, Mar 22, 2019
(You must log in or sign up to post here.)
Loading...
Similar Threads - Prevent Scripts being
  1. toplisek

    A method of preventing spam

    toplisek, Jun 22, 2019, in forum: E-mail Discussion
    Replies:
    4
    Views:
    401
    nixuser
    Jun 27, 2019
  2. woostar

    Prevent .htaccess creation when changing PHP version?

    woostar, Jun 12, 2019, in forum: EasyApache
    Replies:
    1
    Views:
    203
    cPanelLauren
    Jun 12, 2019
  3. Gastón

    SOLVED [CPANEL-27859] TLS failure preventing access to /cpanel , /whm , and /webmail

    Gastón, Jun 10, 2019, in forum: Security
    Replies:
    18
    Views:
    989
    cPanelMichael
    Jul 12, 2019 at 1:30 PM
  4. oah

    Prevent email accounts from getting certain emails?

    oah, May 20, 2019, in forum: E-mail Discussion
    Replies:
    2
    Views:
    212
    oah
    May 20, 2019
  5. ssmrasu

    Prevent subdomain access to parent folder?

    ssmrasu, May 14, 2019, in forum: Security
    Replies:
    1
    Views:
    201
    cPanelLauren
    May 16, 2019

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice