Nonexistent domains on server?

000

• May 18, 2019 11:39

Becouse in "MyHostName.domain.com" I have ONLY ONE DOMAIN, I put this code PHP (from file PHP) in /home : [PHP] $dir = preg_replace('/www\.|www/i', '', $_SERVER['SERVER_NAME'>);[/PHP] then I save INTO $dir some info as REFERER, IP, memory_get_usage(1), etc... Sorry, allowme I repeat: I have ONLY ONE DOMAIN in this server. My sorpraise is FOREVER, after of 2 or 3 days /home look as this: 58783 Logically that is activity hacker, but how is possible the var [PHP]$_SERVER['SERVER_NAME'>[/PHP] return domains non-exist in server? or... I have a trojan into my server? Thanks by your help

• 

  GOT

  • May 18, 2019 17:53

  Yes I would say the odds are that you were hacked I would back up your site since it's only one and wipe the server and restore the backup. Then check your site for vulnerabilities.

  0
• 

  000

  • May 19, 2019 07:29

  New Yes I would say the odds are that you were hacked I would back up your site since it's only one and wipe the server and restore the backup. Then check your site for vulnerabilities.

  
  Thanks, by months I do this in others servers. I have this in mode "TEST", then my "web site" is only 3 files, no data base, etc... However ever appear foraneus domains after of 2, 3 days... but how is possible the var {$_SERVER['SERVER_NAME'} return domains non-exist in server?...

  0
• 

  cPanelMichael

  • May 20, 2019 19:10

  Hello, Can you open a

  0
• 

  000

  • May 21, 2019 00:46

  so we can take a closer look at your system

  
  thanks very much. ticketid=12353753 is URL to ticket. Regards

  0
• 

  000

  • May 23, 2019 03:14

  Can you open a HTTP_HOST and SERVER_NAME Security Issues | Blog Thanks to all team of cPanel by your time. Regards

  0
• 

  000

  • May 23, 2019 16:52

  Hello again. Becouse this is very strange for me, I add this line in my code (pseudocode): [PHP]if( is NEW DIR - new DIMAIN.TLD) { mail()... ... ... } [/PHP]and just today I get this email: [PHP]--------------------------------------------------------------------------------------------------- _SERVER: Array ( [SERVER_SOFTWARE] => Apache [REQUEST_URI] => / [CONTEXT_DOCUMENT_ROOT] => /home/FOLDER_USER/public_html [CONTEXT_PREFIX] => [DOCUMENT_ROOT] => /home/FOLDER_USER/public_html [GATEWAY_INTERFACE] => CGI/1.1 [HTTP_ACCEPT_ENCODING] => gzip [HTTP_CONNECTION] => close [HTTP_HOST] => jg4rli4xoagvvmw47gxvbt3bhyd.onion [HTTP_USER_AGENT] => Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0) [PATH] => /bin:/usr/bin [PHP_INI_SCAN_DIR] => /opt/cpanel/ea-php56/root/etc:/opt/cpanel/ea-php56/root/etc/php.d:. [QUERY_STRING] => [REDIRECT_STATUS] => 200 [REMOTE_ADDR] => 5.8.10.202 [REMOTE_PORT] => 18840 [REQUEST_METHOD] => GET [REQUEST_SCHEME] => http [SCRIPT_FILENAME] => /home/FOLDER_USER/public_html/index.php [SCRIPT_NAME] => /index.php [SCRIPT_URI] => http://jg4rli4xoagvvmw47gxvbt3bhyd.onion/ [SCRIPT_URL] => / [SERVER_ADDR] => SERVER_IP [SERVER_ADMIN] => webmaster@TLD_USER.com [SERVER_NAME] => jg4rli4xoagvvmw47gxvbt3bhyd.onion [SERVER_PORT] => 80 [SERVER_PROTOCOL] => HTTP/1.1 [SERVER_SIGNATURE] => [TZ] => Continent/City [UNIQUE_ID] => XOZmmLevTCUZEI0hNjM62gAAAJE [PHP_SELF] => /index.php [REQUEST_TIME_FLOAT] => 1558603417.05 [REQUEST_TIME] => 1558603417 [argv] => Array ( ) [argc] => 0 [HTTP_REFERER] => [REDIRECT_QUERY_STRING] => [REDIRECT_URL] => ) ---------------------------------------------------------------------------------------------------[/PHP]I seek in NET and I get: 58879 then please helpme with some questions: 1// is possible we do something about this hacker? 2// how we protect of this and others attacks? 3// what can do the hackers with this attack, code malicious? 4// and finally, then ... is bad idea create/config URLs in portal web with .'">LINK... then what is the solution?, what is the correct/professional method to create/config web design ? Thanks by all yours helps

  0
• 

  cPanelMichael

  • May 29, 2019 16:21

  Hello, To update, here's a response from one of the Technical Analysts on the ticket: [QUOTE] In reading the Apache documentation: core - Apache HTTP Server Version 2.4 The setting is Off by default because Apache can be (and usually is) used with many VirtualHosts. You can set it to On, if and only if you have a single domain. But cPanel servers by default are used for multiple VirtualHosts so the default of "Off" is recommended. UseCanonicalName must be off for VirtualHosts, otherwise, it won't work properly, and will break many PHP sites. It has to do with the trailing "/" on the URL. With this value set to On, any URL which is generated automatically by Apache will use the fully-qualified hostname from the ServerName directive. If Off (default), Apache will generate the URL with the Host: header that the client passed to it. If you use name-based virtual hosts (which cPanel does), you want this off.
  Further advice about the security of the PHP script itself should be sought from a qualified system administrator or PHP security expert. We provide a list of companies offering system administration services on the link below: System Administration Services | cPanel Forums Thank you.

  0

Please sign in to leave a comment.