Suspicious file uploading issue

awaraleo

Member
Dec 5, 2014
7
0
1
Pakistan
cPanel Access Level
Root Administrator
Hi,

I am facing a nasty attack at the moment and spam files being uploaded through cPanel from every account. Here's cpanel access logs
Code:
# grep execute/Fileman/upload_files /usr/local/cpanel/logs/access_log | grep POST

xx.xx.xx.xx - user1 [02/27/2019:17:24:34 -0000] "POST /cpsess8016726932/execute/Fileman/upload_files HTTP/1.1" 200 0 "https://sitename.com:2083/cpsess8016726932/frontend/paper_lantern/filemanager/upload-ajax.html?file=&fileop=&dir=%2Fhome%2Fuser1%2Fpublic_html%2Fpsu&dirop=&charset=&file_charset=&baseurl=&basedir=" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0" "s" "-" 2083
xx.xx.xx.xx - user2 [02/27/2019:23:44:11 -0000] "POST /cpsess3122663041/execute/Fileman/upload_files HTTP/1.1" 200 0 "https://sitename2.net:2083/cpsess3122663041/frontend/paper_lantern/filemanager/upload-ajax.html?file=&fileop=&dir=%2Fhome%2Fuser2%2Fpublic_html%2FWorkspace+Webmail&dirop=&charset=&file_charset=&baseurl=&basedir=" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0" "s" "-" 2083
xx.xx.xx.xx - proxy user3 [02/28/2019:08:30:08 -0000] "POST /cpsess7919138071/execute/Fileman/upload_files HTTP/1.1" 200 0 "https://sitename3.com:2083/cpsess7919138071/frontend/paper_lantern/filemanager/upload-ajax.html?file=&fileop=&dir=%2Fhome%2Fuser3%2Fpublic_html%2Fsystem&dirop=&charset=&file_charset=&baseurl=&basedir=" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36" "s" "X-Forwarded-For: 94.207.216.127" 2083
xx.xx.xx.xx - user4 [03/01/2019:00:37:27 -0000] "POST /cpsess2582146565/execute/Fileman/upload_files HTTP/1.1" 200 0 "https://sitename4.com:2083/cpsess2582146565/frontend/paper_lantern/filemanager/upload-ajax.html?file=&fileop=&dir=%2Fhome%2Fuser4%2Fpublic_html%2Fout&dirop=&charset=&file_charset=&baseurl=&basedir=" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36" "s" "-" 2083
I have tried everything, CSF, Maldet, RK Hunter, LFD, Hardened apache and other security. But nothing suspecious in OS is found apart from the filemanager and suspecious files which I am deleting.

I have also tried changing passwords of all accounts, but still filemanager sessions are getting through and uploads are happening. Also, passwords of accounts do automatically change as well.

Please some one give me idea, I am depressed now. Being a server administrator my self, I have never faced such condition.

Thanks

Any help please?
 
Last edited by a moderator:

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,967
758
263
Houston
cPanel Access Level
DataCenter Provider
Hi @awaraleo

I'd also suggest changing FTP passwords, unfortunately, while malware software can find common threats none of them are 100% guaranteed. I'd strongly urge you to fully audit all the files within the affected account. If it's multiple accounts you may want to look at the possibility of a root level compromise though it's unlikely. Most likely is that there is a compromised/vulnerable theme/plugin/component associated with a CMS that's installed on the server - this is why it's extremely important to keep these items up to do as well as remove any unused items.

Thanks!
 
  • Like
Reactions: awaraleo

awaraleo

Member
Dec 5, 2014
7
0
1
Pakistan
cPanel Access Level
Root Administrator
@cPanelLauren,

Thanks for your reply but as I mentioned I have tried changing passwords but passwords do change automatically. I even have disabled FTP server completely now but still they are keep coming. I have even used cPMalScan plugin specially for malwares but nothing has changed even after removing all suspicious files and malwares. I am in very deep trouble because I even can't migrate accounts to a new server because all the malwares can lead into new server too. I've tried Jail/Disabled, all shells but still accounts keep compromising again and again. Please help me out from this problem. Thanks
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,967
758
263
Houston
cPanel Access Level
DataCenter Provider
Hi @awaraleo
Thanks for your reply but as I mentioned I have tried changing passwords but passwords do change automatically.
Unfortunately I don't really have a way to know *which* passwords you're changing specifically.
I have even used cPMalScan plugin specially for malwares but nothing has changed even after removing all suspicious files and malware.
I'm not familiar with this plugin but you did note earlier that you used maldet which is a very reputable scanner.


At this point, my only suggestion to further investigate the issue would be to possibly check out what services like sucuri can do for you and if they're unable to provide assistance you may want to look at enlisting the services of a system administrator. You might find one here: System Administration Services | cPanel Forums


If you believe your server is possibly root compromised you can open a ticket with us for confirmation and assistance migrating to a fresh server.


Thanks!