Prevent PHP Scripts from being executed

[Alain Bensimon]

Everyday I get this type of alerts from my CSF/LFD.

-------------------------------------------------------------------
Time:         Wed Mar 20 09:08:27 2019 -0400
Account:      mvandammeadmin
Resource:    Virtual Memory Size
Exceeded:     480 > 400 (MB)
Executable:  /opt/cpanel/ea-php56/root/usr/bin/php-cgi
Command Line: /opt/cpanel/ea-php56/root/usr/bin/php-cgi
PID:          17598 (Parent PID:4946)
Killed:       No
-------------------------------------------------------------------

It executes some PHP scripts even though some of these users don't even have a website so no PHP enabled.
I suspect they use it to send spam from my server.
I've been making some scans with maldet, and it always finds some threats like below.
I've deleted the quarantine as well, but they always come back.
How can I
1. Get rid of them
2. Prevent these users to execute PHP scripts

-------------------------------------------------------------------
PATH:       
TOTAL FILES:  624239
TOTAL HITS:    13
TOTAL CLEANED: 0
FILE HIT LIST:
{HEX}php.malware.magento.594 : /home/labellev/logs/example.net-Mar-2019.gz => /usr/local/maldetect/quarantine/example.net-Mar-2019.gz.1351819726
{HEX}php.malware.magento.594 : /home/gruadmin/logs/gruman.be-Mar-2019.gz => /usr/local/maldetect/quarantine/examplen.be-Mar-2019.gz.253081703
HEX}php.malware.magento.594 : /home/pitadmin/logs/example.org-Mar-2019.gz => /usr/local/maldetect/quarantine/example.org-Mar-2019.gz.2465528531
{CAV}Win.Malware.Tspy-6881358-0 : /home/noureddine/mail/new/1510582942.M291710P29496.host.example.com,S=723485,W=732951 => /usr/local/maldetect/quarantine/1510582942.M291710P29496.host.example.com,S=723485,W=732951.901425328
{HEX}php.malware.magento.594 : /home/bswiadmin/logs/bswi.org-Mar-2019.gz => /usr/local/maldetect/quarantine/example.org-Mar-2019.gz.614021638
{HEX}php.malware.magento.594 : /home/belilanadmin/logs/example.com-Mar-2019.gz => /usr/local/maldetect/quarantine/example.com-Mar-2019.gz.1486125888
{HEX}php.malware.magento.594 : /home/cofigestionadmin/logs/example.x-Mar-2019.gz => /usr/local/maldetect/quarantine/example.x-Mar-2019.gz.1505625503
{CAV}Win.Dropper.Noon-6859637-0 : /home/abscompadmin/mail/example.tld/bens7361/new/1550059523.M898897P13920.host.example.com,S=356673,W=362542 => /usr/local/maldetect/quarantine/1550059523.M898897P13920.host.example.com,S=356673,W=362542.124011249
{CAV}Doc.Dropper.Agent-6894268-0 : /home/tactical5/mail/new/1536953117.M439893P10375.host.example.com,S=54107,W=54843 => /usr/local/maldetect/quarantine/1536953117.M439893P10375.host.example.com,S=54107,W=54843.2397617671
{CAV}Rtf.Exploit.CVE_2018_0802-6825822-0 : /home/tactical5/mail/new/1526991608.M30806P16669.host.example.com,S=40566,W=41146 => /usr/local/maldetect/quarantine/1526991608.M30806P16669.host.example.com,S=40566,W=41146.25329486
{CAV}Rtf.Dropper.Agent-6857133-0 : /home/tactical5/mail/example.0/simon/new/1544467112.M472641P9416.host.example.com,S=69343,W=70316 => /usr/local/maldetect/quarantine/1544467112.M472641P9416.host.example.com,S=69343,W=70316.2357125895

{HEX}php.malware.magento.594 : /home/eukoshermen/logs/example.eu-Mar-2019.gz => /usr/local/maldetect/quarantine/example.eu-Mar-2019.gz.571425162

{HEX}php.malware.magento.594 : /home/kriwinadmin/logs/example.be-Mar-2019.gz => /usr/local/maldetect/quarantine/example.be-Mar-2019.gz.56134332

 

[cPanelLauren]

Hello @Alain Bensimon

Ultimately you'll need to audit the files within your users home directories. If they don't have sites it should make it easier. I'd suggest enlisting the assistance of a qualified system administrator. If you don't have one you might find one here: System Administration Services | cPanel Forums

Thanks!