The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Some sort of virus or bug on server

Discussion in 'Security' started by ttnae, Mar 20, 2017.

  1. ttnae

    ttnae Registered

    Joined:
    Mar 20, 2017
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Michigan
    cPanel Access Level:
    Reseller Owner
    Hello, I have been trying to sort this out for a couple of weeks. I have a reseller account with only 6 accounts. (I only host for friends).
    There is something that is creating files in directories both joomla and html sites. Most of the files are named like this "index68.php, file6.php, include89.php etc...

    I have removed and reinstalled all non db sites and reinstalled all joomla sites reconnecting to the old db.

    This is still recreating files. This is also messing with my seo as google has slapped me a couple of times. I also have something in my primary domain directory but I can not figure this out. The site in the primary directory is a joomla site but only has one single article, the front page.

    Where can i look? Is there something that can be uploaded to cpanel and run as a scan to help me identify the problem?
     

    Attached Files:

  2. cPanelJasonT

    cPanelJasonT Level 2 Technical Analyst
    Staff Member

    Joined:
    Oct 21, 2014
    Messages:
    55
    Likes Received:
    6
    Trophy Points:
    83
    cPanel Access Level:
    Root Administrator
    Hello,
    Often the cause of this kind of thing is a vulnerability in software that is installed on the web site. One thing that can help you to find this kind of activity is to search through the logs for access to these files. The logs for a user's web access can be found in /usr/local/apache/domlogs/$user

    There, you can search for the file that was uploaded, which will then provide you with the ip address accessing this file. From there, it is possible to establish what was access from that ip address, which may elucidate how the files were uploaded.

    In general, it is recommended to keep any site software up to date.

    It is also possible that the file was uploaded via ftp. This can be seen by searching for the file's name in /var/log/messages.
     
Loading...

Share This Page