Prevent PHP Scripts from being executed

Apr 23, 2017
17
0
1
Canada
cPanel Access Level
Root Administrator
Everyday I get this type of alerts from my CSF/LFD.
Code:
-------------------------------------------------------------------
Time:         Wed Mar 20 09:08:27 2019 -0400
Account:      mvandammeadmin
Resource:    Virtual Memory Size
Exceeded:     480 > 400 (MB)
Executable:  /opt/cpanel/ea-php56/root/usr/bin/php-cgi
Command Line: /opt/cpanel/ea-php56/root/usr/bin/php-cgi
PID:          17598 (Parent PID:4946)
Killed:       No
-------------------------------------------------------------------
It executes some PHP scripts even though some of these users don't even have a website so no PHP enabled.
I suspect they use it to send spam from my server.
I've been making some scans with maldet, and it always finds some threats like below.
I've deleted the quarantine as well, but they always come back.
How can I
1. Get rid of them
2. Prevent these users to execute PHP scripts
Code:
-------------------------------------------------------------------
PATH:       
TOTAL FILES:  624239
TOTAL HITS:    13
TOTAL CLEANED: 0
FILE HIT LIST:
{HEX}php.malware.magento.594 : /home/labellev/logs/example.net-Mar-2019.gz => /usr/local/maldetect/quarantine/example.net-Mar-2019.gz.1351819726
{HEX}php.malware.magento.594 : /home/gruadmin/logs/gruman.be-Mar-2019.gz => /usr/local/maldetect/quarantine/examplen.be-Mar-2019.gz.253081703
HEX}php.malware.magento.594 : /home/pitadmin/logs/example.org-Mar-2019.gz => /usr/local/maldetect/quarantine/example.org-Mar-2019.gz.2465528531
{CAV}Win.Malware.Tspy-6881358-0 : /home/noureddine/mail/new/1510582942.M291710P29496.host.example.com,S=723485,W=732951 => /usr/local/maldetect/quarantine/1510582942.M291710P29496.host.example.com,S=723485,W=732951.901425328
{HEX}php.malware.magento.594 : /home/bswiadmin/logs/bswi.org-Mar-2019.gz => /usr/local/maldetect/quarantine/example.org-Mar-2019.gz.614021638
{HEX}php.malware.magento.594 : /home/belilanadmin/logs/example.com-Mar-2019.gz => /usr/local/maldetect/quarantine/example.com-Mar-2019.gz.1486125888
{HEX}php.malware.magento.594 : /home/cofigestionadmin/logs/example.x-Mar-2019.gz => /usr/local/maldetect/quarantine/example.x-Mar-2019.gz.1505625503
{CAV}Win.Dropper.Noon-6859637-0 : /home/abscompadmin/mail/example.tld/bens7361/new/1550059523.M898897P13920.host.example.com,S=356673,W=362542 => /usr/local/maldetect/quarantine/1550059523.M898897P13920.host.example.com,S=356673,W=362542.124011249
{CAV}Doc.Dropper.Agent-6894268-0 : /home/tactical5/mail/new/1536953117.M439893P10375.host.example.com,S=54107,W=54843 => /usr/local/maldetect/quarantine/1536953117.M439893P10375.host.example.com,S=54107,W=54843.2397617671
{CAV}Rtf.Exploit.CVE_2018_0802-6825822-0 : /home/tactical5/mail/new/1526991608.M30806P16669.host.example.com,S=40566,W=41146 => /usr/local/maldetect/quarantine/1526991608.M30806P16669.host.example.com,S=40566,W=41146.25329486
{CAV}Rtf.Dropper.Agent-6857133-0 : /home/tactical5/mail/example.0/simon/new/1544467112.M472641P9416.host.example.com,S=69343,W=70316 => /usr/local/maldetect/quarantine/1544467112.M472641P9416.host.example.com,S=69343,W=70316.2357125895

{HEX}php.malware.magento.594 : /home/eukoshermen/logs/example.eu-Mar-2019.gz => /usr/local/maldetect/quarantine/example.eu-Mar-2019.gz.571425162

{HEX}php.malware.magento.594 : /home/kriwinadmin/logs/example.be-Mar-2019.gz => /usr/local/maldetect/quarantine/example.be-Mar-2019.gz.56134332
 
Last edited by a moderator:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
Hello @Alain Bensimon

Ultimately you'll need to audit the files within your users home directories. If they don't have sites it should make it easier. I'd suggest enlisting the assistance of a qualified system administrator. If you don't have one you might find one here: System Administration Services | cPanel Forums

Thanks!