The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

public_html deleted

Discussion in 'General Discussion' started by aspen0, Jun 28, 2011.

  1. aspen0

    aspen0 Member

    Joined:
    Dec 6, 2004
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    This server has 5 sites on it. One site had public_html deleted, just up and deleted, a few days ago. Left was the www symlink (which was broken, the .mozilla folder, and the access-logs symlink, which worked. everything else in the /home/username directory was gone.

    I recreated the public_html folder and uploaded the files (I didn't recreate all the other folders).

    Then, in the middle of the night last night, it happened again.

    I've checked the global server logs. No one logged into SSH to do this, no one logged into cpanel to do this. No one logged into FTP to do this. The only thing on this account is an up-to-date vbulletin install.

    So, does anyone have any idea how this could be happening, or why? Does anyone have any idea how to prevent it from happening? Does anyone know if cpanel has a feature allowing me to reinitialize an account (Reset it up with all appropriate folders) when it gets half deleted, in case it happens again?

    Thanks.

    oh, also, the mysql databases for the account weren't touched.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Whats the .mozilla folder?

    There is no way I know of to restore an account without a full backup of the account.

    Is the vBulletin up to date including any mods? (a file manager maybe?)
     
  3. aspen0

    aspen0 Member

    Joined:
    Dec 6, 2004
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    yes, vb is up to date, only 1 mod installed, and it isn't a file manager (Glowhost Spam-o-matic anti-spam mod).

    I have no idea what the .mozilla folder is, but it exists in every site on this server.

    drwxr-xr-x 4 tff tff 4096 Jul 25 2009 .mozilla/

    root@book3 [/home/tff]# cd .mozilla
    root@book3 [/home/tff/.mozilla]# ls -al
    total 16
    drwxr-xr-x 4 tff tff 4096 Jul 25 2009 ./
    drwx--x--x 6 tff tff 4096 Jun 28 07:54 ../
    drwxr-xr-x 2 tff tff 4096 Jul 25 2009 extensions/
    drwxr-xr-x 2 tff tff 4096 Jul 25 2009 plugins/
    root@book3 [/home/tff/.mozilla]#


    root@book3 [/home/tff/.mozilla]# cd extensions
    root@book3 [/home/tff/.mozilla/extensions]# ls -al
    total 8
    drwxr-xr-x 2 tff tff 4096 Jul 25 2009 ./
    drwxr-xr-x 4 tff tff 4096 Jul 25 2009 ../
    root@book3 [/home/tff/.mozilla/extensions]# cd ..
    root@book3 [/home/tff/.mozilla]# cd plugins
    root@book3 [/home/tff/.mozilla/plugins]# ls -al
    total 8
    drwxr-xr-x 2 tff tff 4096 Jul 25 2009 ./
    drwxr-xr-x 4 tff tff 4096 Jul 25 2009 ../
    root@book3 [/home/tff/.mozilla/plugins]#
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    No clue what that .mozilla directory is. I see the dates on items inside are named with old dates, whats the actual date on the .mozilla directory itself? If it was just placed there it would have a recent date of course.
     
  5. aspen0

    aspen0 Member

    Joined:
    Dec 6, 2004
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    nah same date Jul 25 2009, which is the date the server was born.
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    This is strange. If one user was using some sort of firefox file manager plugin on his account that might explain this. But on every account?

    What operating system is this server running?
     
  7. aspen0

    aspen0 Member

    Joined:
    Dec 6, 2004
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    Found the problem. It was vbulletin, but not really a vulnerability.

    They got into an admin account (weak password) and put a custom plugin in, which contained a php shell script. I removed the script, got their IPs from the admin log, reported to their ISP (comcast - Comcast.net Security - Contact Comcast Security) which is really nice of them to have people you can contact to report such digital vandals. Banned their IPs at the firewall.
     
  8. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Care to share the name of that custom plugin?
     
  9. aspen0

    aspen0 Member

    Joined:
    Dec 6, 2004
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    they called it "vbulletin" and other variants to make it blend in.

    What I did was search the control panel log for accesses to the script plugins.php, I looked for IP addresses that weren't mind (found them) and that told me which plugins they were editing. Which I deleted.
     
Loading...

Share This Page