The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security issue? - testfile.txt inserted in all vsites/accounts

Discussion in 'Security' started by jols, Sep 18, 2004.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    168
    Since we first started leasing cPanel servers, nearly every account is accessed as soon as we install it (or very nearly thereafter). Someone using IP 216.55.147.130 installs a file in the sub-web area named testfile.txt then soon afterward, deletes it. Sometimes not. All the files that we were able to find contains a single word "cygnus".

    By the way, all testfile.txt files are owned by the user ID of that account (in which the file was inserted), and FTP access is made using the new account user's ID and password.


    My first guess is that this is part of the cPanel licensing system. My second guess is much worse. Just want to make sure.

    Can anyone please shed any light.

    Thanks.
    jols


    UPDATE: We're not sure but we now believe that at least there is a possibility that this may relate to a Windows virus that many of our hosted members may have on their systems, of which our cPanel / Linux server would be ammune - http://vil.nai.com/vil/content/v_98824.htm
     
    #1 jols, Sep 18, 2004
    Last edited: Sep 18, 2004
  2. damainman

    damainman Well-Known Member

    Joined:
    Nov 13, 2003
    Messages:
    515
    Likes Received:
    0
    Trophy Points:
    166
    Keep us updated on this.
     
  3. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    168
    Thanks, I will.

    We are getting closer to an explanation which is completely mundane, having to do with an external (Trellix based) authoring system that many of our accounts are using. We are at least 80% sure at this point that this is what it is.

    --jols.
     
Loading...

Share This Page