Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Some sort of virus or bug on server

Discussion in 'Security' started by ttnae, Mar 20, 2017.

  1. ttnae

    ttnae Registered

    Mar 20, 2017
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Reseller Owner
    Hello, I have been trying to sort this out for a couple of weeks. I have a reseller account with only 6 accounts. (I only host for friends).
    There is something that is creating files in directories both joomla and html sites. Most of the files are named like this "index68.php, file6.php, include89.php etc...

    I have removed and reinstalled all non db sites and reinstalled all joomla sites reconnecting to the old db.

    This is still recreating files. This is also messing with my seo as google has slapped me a couple of times. I also have something in my primary domain directory but I can not figure this out. The site in the primary directory is a joomla site but only has one single article, the front page.

    Where can i look? Is there something that can be uploaded to cpanel and run as a scan to help me identify the problem?

    Attached Files:

  2. cPanelJasonT

    cPanelJasonT Level 2 Technical Analyst Staff Member

    Oct 21, 2014
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Often the cause of this kind of thing is a vulnerability in software that is installed on the web site. One thing that can help you to find this kind of activity is to search through the logs for access to these files. The logs for a user's web access can be found in /usr/local/apache/domlogs/$user

    There, you can search for the file that was uploaded, which will then provide you with the ip address accessing this file. From there, it is possible to establish what was access from that ip address, which may elucidate how the files were uploaded.

    In general, it is recommended to keep any site software up to date.

    It is also possible that the file was uploaded via ftp. This can be seen by searching for the file's name in /var/log/messages.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice