The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Trojan or what ?

Discussion in 'General Discussion' started by 5416339, Feb 26, 2011.

  1. 5416339

    5416339 Member

    Joined:
    Jan 22, 2011
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    I'm a client

    In all my directories there is a folder "file:" And in one of these "file:" i found a c99 shell.

    I told my hoster many times but he's doing nothing.He's not even seeing why the "file:" in present in all my folders.Aslo when i tired to delete "file:" it comes back again with its original contents ?

    How do i stop this ?
     
  2. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    Without knowing how your server and site are set up, it would be hard to answer your question. The first thing you should do is change your password to make sure that if these files are being uploaded via FTP, it stops. However, c99 shells allow a remote user to upload files to your website, so it's also possible that someone is using an existing c99 shell in your account to keep re-uploading the file. In this case, you may want to consider deleting everything and re-uploading your site from a clean copy on your computer.
     
  3. 5416339

    5416339 Member

    Joined:
    Jan 22, 2011
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Like i said its useless.I tried deleting still it comes back "immediately" after i delete it ..
     
  4. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    Again, there could be another hack script in your account somewhere that is allowing someone to re-upload the file. Instead of just deleting the file, you need to remove EVERYTHING and re-upload. If this doesn't work, perhaps you should ask your host to check your FTP and Apache logs to see if they are able to find anything.
     
  5. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Are you certain that it is even deleting at all then? Maybe the file isn't owned by your user (owned by root), is set as immutable (chattr +i filename), or has too low of file permissions to remove. Have you asked your host to try to remove these files?

    I do agree with vanessa as well on the points about getting everything cleared off the account and checking logs for how this happened, but it is not likely that any script can easily detect a deletion and immediately re-upload on the deletion. Either some other script on the account is detecting a deletion and creating a new file to replace it, or the more likely case being that it really isn't even deleting at all. As such, if you cannot remove the files, then your host is going to have to help.
     

Share This Page