Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Suspicious file uploading issue

Discussion in 'Security' started by awaraleo, Mar 2, 2019.

  1. awaraleo

    awaraleo Member

    Joined:
    Dec 5, 2014
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Pakistan
    cPanel Access Level:
    Root Administrator
    Hi,

    I am facing a nasty attack at the moment and spam files being uploaded through cPanel from every account. Here's cpanel access logs
    Code:
    # grep execute/Fileman/upload_files /usr/local/cpanel/logs/access_log | grep POST
    
    xx.xx.xx.xx - user1 [02/27/2019:17:24:34 -0000] "POST /cpsess8016726932/execute/Fileman/upload_files HTTP/1.1" 200 0 "https://sitename.com:2083/cpsess8016726932/frontend/paper_lantern/filemanager/upload-ajax.html?file=&fileop=&dir=%2Fhome%2Fuser1%2Fpublic_html%2Fpsu&dirop=&charset=&file_charset=&baseurl=&basedir=" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0" "s" "-" 2083
    xx.xx.xx.xx - user2 [02/27/2019:23:44:11 -0000] "POST /cpsess3122663041/execute/Fileman/upload_files HTTP/1.1" 200 0 "https://sitename2.net:2083/cpsess3122663041/frontend/paper_lantern/filemanager/upload-ajax.html?file=&fileop=&dir=%2Fhome%2Fuser2%2Fpublic_html%2FWorkspace+Webmail&dirop=&charset=&file_charset=&baseurl=&basedir=" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0" "s" "-" 2083
    xx.xx.xx.xx - proxy user3 [02/28/2019:08:30:08 -0000] "POST /cpsess7919138071/execute/Fileman/upload_files HTTP/1.1" 200 0 "https://sitename3.com:2083/cpsess7919138071/frontend/paper_lantern/filemanager/upload-ajax.html?file=&fileop=&dir=%2Fhome%2Fuser3%2Fpublic_html%2Fsystem&dirop=&charset=&file_charset=&baseurl=&basedir=" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36" "s" "X-Forwarded-For: 94.207.216.127" 2083
    xx.xx.xx.xx - user4 [03/01/2019:00:37:27 -0000] "POST /cpsess2582146565/execute/Fileman/upload_files HTTP/1.1" 200 0 "https://sitename4.com:2083/cpsess2582146565/frontend/paper_lantern/filemanager/upload-ajax.html?file=&fileop=&dir=%2Fhome%2Fuser4%2Fpublic_html%2Fout&dirop=&charset=&file_charset=&baseurl=&basedir=" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36" "s" "-" 2083
    
    I have tried everything, CSF, Maldet, RK Hunter, LFD, Hardened apache and other security. But nothing suspecious in OS is found apart from the filemanager and suspecious files which I am deleting.

    I have also tried changing passwords of all accounts, but still filemanager sessions are getting through and uploads are happening. Also, passwords of accounts do automatically change as well.

    Please some one give me idea, I am depressed now. Being a server administrator my self, I have never faced such condition.

    Thanks

    Any help please?
     
    #1 awaraleo, Mar 2, 2019
    Last edited by a moderator: Mar 4, 2019
  2. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,766
    Likes Received:
    439
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @awaraleo

    I'd also suggest changing FTP passwords, unfortunately, while malware software can find common threats none of them are 100% guaranteed. I'd strongly urge you to fully audit all the files within the affected account. If it's multiple accounts you may want to look at the possibility of a root level compromise though it's unlikely. Most likely is that there is a compromised/vulnerable theme/plugin/component associated with a CMS that's installed on the server - this is why it's extremely important to keep these items up to do as well as remove any unused items.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    awaraleo likes this.
  3. awaraleo

    awaraleo Member

    Joined:
    Dec 5, 2014
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Pakistan
    cPanel Access Level:
    Root Administrator
    @cPanelLauren,

    Thanks for your reply but as I mentioned I have tried changing passwords but passwords do change automatically. I even have disabled FTP server completely now but still they are keep coming. I have even used cPMalScan plugin specially for malwares but nothing has changed even after removing all suspicious files and malwares. I am in very deep trouble because I even can't migrate accounts to a new server because all the malwares can lead into new server too. I've tried Jail/Disabled, all shells but still accounts keep compromising again and again. Please help me out from this problem. Thanks
     
  4. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,766
    Likes Received:
    439
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @awaraleo
    Unfortunately I don't really have a way to know *which* passwords you're changing specifically.
    I'm not familiar with this plugin but you did note earlier that you used maldet which is a very reputable scanner.


    At this point, my only suggestion to further investigate the issue would be to possibly check out what services like sucuri can do for you and if they're unable to provide assistance you may want to look at enlisting the services of a system administrator. You might find one here: System Administration Services | cPanel Forums


    If you believe your server is possibly root compromised you can open a ticket with us for confirmation and assistance migrating to a fresh server.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice