Skip to main content

how to find out who is creating folders?



  • cPRex Jurassic Moderator
    Hey there! You mention that you are resetting the password for a user. Have you performed a virus scan on the user's machine(s) with access to that cPanel account? It's possible there could be keylogger software installed that is stealing the password and then using it to log in.
  • Rachel S
    You can take the following actions to deal with the situation: To determine who creates folders on the website, you can check the website's server logs. The server logs will contain information about when and where the folders were created. Once you have access to the logs, look for entries corresponding to when the folders were created. The logs will show the IP address and other identifying information of the user who created the folders. In cases where the server logs do not provide enough information, you may need to look for other clues to determine who is creating the folders. Some steps you can take include:
    • Look for accounts with administrative access or accounts that were created recently.
    • Review file permissions
    • Set up alerts or notifications for any changes to the website or files
    • Limit access to the website from specific IP addresses or regions.
    Implement various security measures to harden the website's security and prevent future attacks. Remove unnecessary files: Remove any files or folders that have no relation to WordPress or the website. These files may be leftover from a previous hack or an unrelated software installation. Harden security: Consider implementing additional security measures to prevent future attacks. This may include using a web application firewall (WAF), enabling two-factor authentication (2FA), or limiting access to the site from specific IP addresses. Monitor the site: Keep a close eye on the website to ensure it remains secure. Set up alerts for any unusual activity, such as failed login attempts or changes to files or content. I hope these help you to address the hacking issue and prevent it from happening in the future.
  • bellwood
    Bit of an old thread but having faced this myself I can recommend the following. We are running, amongst other things, CSF and maldet. With CSF we monitor troublesome sites with csf.dirwatch so that email alerts go out when directories change. With maldet, you can then xref inotify_log for the same time frame to see what other files are being created/modified and in what order. You can then xref these timestamps with Apache/FTP/cPanel access logs. Most of the time, we find password compromise is the culprit for these mystery infections as simple things like shells being POST'd to are easy to catch by simply grep'ing logs.
  • kssuhesh
    Hello, Yes, monitoring the folder will get details about the file/directory changes. Carefully analyze the logs and identify the exact way the files were created. Whether it is using ftp/login or using some scripts or not. - check all the existing plugins and remove unwanted plugins from Wordpress. - Go through the file manager for the file names, an experienced server administrator can easily detect the files, if they are using unusual file names, which may not be detected by normal users. - Find the recently modified files from plugins, themes folder, etc., and identify the modified files. - Use Wpcli tools to check the integrity of the Wordpress files. - Analyse the logs for POST requests and manually check those files were genuine or not. - Do a scan, but we cannot confirm that the scan will detect all the files.. Overall, multiple areas need to check and monitor the account for multiple days to identify the infection and clear it.
  • ffeingol
    A few other things.
    • Check for cron jobs. We have seen a number of compromises that install cPanel account cron jobs that download/reinfect the site
    • If you have root access, learn how to use built in auditing. Turning on auditing for the users public_html folder will help you determine how files/folders are getting created.

Please sign in to leave a comment.