Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

soka.php installed through Cpanel

Discussion in 'Security' started by dennismv, Sep 18, 2010.

  1. dennismv

    dennismv Member

    Sep 8, 2004
    Likes Received:
    Trophy Points:
    I saw a file called soka.php in the root of my public_html directory. I did not put it there. By appearance, the file was used to send out mail.

    This has happened before, so I knew where to look again. Here are relevant parts of my /usr/local/cpanel/logs/access_log: access log

    From what I see, someone was able to login as 'root' into my CPanel's WHM and from there pull up a file list of the webroot on my user accounts and put a file with user credentials called 'soka.php' in there. And there it was. Can you tell me what it was and how to stop this from happening again?
  2. maever

    maever Active Member

    Sep 26, 2005
    Likes Received:
    Trophy Points:
    This seems like a serious issue Dennismv.

    Do you have reason to believe they infiltrated the root user?
    If that is the case then it would be a challange to recover your system.
    (as they usually install automated rootkits, you can check with rkhunter The Rootkit Hunter project)

    It's hard to tell how exactly your system's security got compromised.
    They could have used an old bugged service, used /tmp loggers to log incoming traffic, could have sniffed traffic, used the famous 64bit kernel exploit, etc)
    In these cases prevention is really the best tactic.

    I would recommend a system reinstall and following this guide:

    Other tips:

    * Install CSF (configserver firewall, keeps out a lot of nasty stuff)
    * follow the CSF server security guide to secure your server.
    * Make sure you allow only secure logins to cpanel/WHM (through HTTPS, can be set in tweak settings)
    * Do not hand out shell access! if you have to, then make sure you use jailshell (can be set in tweak settings).
    * Run a secure environment with SuPHP, Mod_security and Suhosin apache module.

    If you need professional help with restoring your server, the people of ConfigServer Services do a good job!

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice