Some sort of virus or bug on server


Mar 20, 2017
cPanel Access Level
Reseller Owner
Hello, I have been trying to sort this out for a couple of weeks. I have a reseller account with only 6 accounts. (I only host for friends).
There is something that is creating files in directories both joomla and html sites. Most of the files are named like this "index68.php, file6.php, include89.php etc...

I have removed and reinstalled all non db sites and reinstalled all joomla sites reconnecting to the old db.

This is still recreating files. This is also messing with my seo as google has slapped me a couple of times. I also have something in my primary domain directory but I can not figure this out. The site in the primary directory is a joomla site but only has one single article, the front page.

Where can i look? Is there something that can be uploaded to cpanel and run as a scan to help me identify the problem?



Level 2 Technical Analyst
Staff member
Oct 21, 2014
cPanel Access Level
Root Administrator
Often the cause of this kind of thing is a vulnerability in software that is installed on the web site. One thing that can help you to find this kind of activity is to search through the logs for access to these files. The logs for a user's web access can be found in /usr/local/apache/domlogs/$user

There, you can search for the file that was uploaded, which will then provide you with the ip address accessing this file. From there, it is possible to establish what was access from that ip address, which may elucidate how the files were uploaded.

In general, it is recommended to keep any site software up to date.

It is also possible that the file was uploaded via ftp. This can be seen by searching for the file's name in /var/log/messages.