CAGEFS PROBLEM

gnubrasil

• February 12, 2022 13:26

hello I'm getting frequent attacks from ips that I can't identify that cause the files to be dropped and stolen on the sites the main site affected among these was

• 

  cPRex Jurassic Moderator

  • February 14, 2022 17:39

  Hey there! Do you have root access to the server, or just access to the single cPanel account? If the issue is just isolated to one cPanel account, and you don't have root access to the server, you'd want to speak with your hosting provider to see if they would be able to check this. It is likely they have configured the server to suspend the account due to disk usage or bandwidth usage.

  0
• 

  gnubrasil

  • February 14, 2022 18:36

  I contacted the host's service provider, however they are unable to identify this type of issue. The problem is generated when creating several files in the TMP folder in the Folder :CAGEFS, several files of 6 to 7 bytes are created containing numerical sequences and for some reason or breach on the server side or as I believe in the communication between CPANEL and CLOUDLINUX, EMAIL SERVERS AND ETC.... It's not a matter of bandwidth or anything else, MY ACCOUNTS AND SITES SUSPENDED with allegation of sending mass emails, but there was never even a list that was sent from the servers, let alone a single screen capture that proves the sending or receiving of these emails, The account in the PROVIDER remained active and operational, but in the CPANEL it was blocked and all the domains presented the following message of suspended accounts.

  0
• 

  gnubrasil

  • February 14, 2022 18:46

  In any case, I have already stopped using these services and am migrating to another one, however, note that this can cause serious damage if these files in the /.cagefs/tmp folder with more than 2GB contain sensitive data instead of simple numerical sequences, there is a flaw which must be fixed and quickly, all affected sites were operational until the PAPER LANTERN version on the same provider, today I no longer have a contact and still looking for a blunt solution so that this does not happen again. Thanks One solution found for this was to use the following CRONJOBS "find /path/to/folder -type f -mtime +30 -delete" Which, despite being pallative, prevents an attacker from finding a temporary folder full of data. Which (in my point of view is obsolete) because it counts accesses to the site etc... (which can be done by other means). Thanks

  0
• 

  cPRex Jurassic Moderator

  • February 14, 2022 18:58

  It sounds like there was more to the issue than a problem with CageFS. If you see this happen again and you can get root access to the system, please submit a ticket to our team so we can investigate this.

  0

Please sign in to leave a comment.