Skip to main content

Potential malicious activity question

Comments

13 comments

  • cPRex Jurassic Moderator
    Hey there! I have a couple thoughts on this. The top section isn't something we would control, as that would be added by the site admin or software installed on the domain. The bottom section, as mentioned in the comments, is controlled by cPanel, so it's normal for us to automatically update that file on the system from time to time. Is your site using PHP 5.4? If so, if that server using alt-php through CloudLinux? PHP 5.4 has been End of Life since September 2015, so I wouldn't recommend using that on any production site, and having that old version could be the source of the compromise.
    0
  • RPmentor
    Is your site using PHP 5.4?

    All domains are using PHP 8.0 (ea-php80), except for the two main domains which are using PHP 7.4 (ea-php74)... Some of the domains were using PHP 5.4 (ea-php54) before I was alerted to malicious activity and I have updated these to PHP 8.0 (ea-php80) since I received the 'malicious activity detected on my account' message... is this likely to have resolved my issue..??
    0
  • quietFinn
    Some of the domains were using PHP 5.4 (ea-php54) before I was alerted to malicious activity and I have updated these to PHP 8.0 (ea-php80) since I received the 'malicious activity detected on my account' message... is this likely to have resolved my issue..??

    Most likely not, it might stop future hacks, but unless you find all the malicious code you are still in danger.
    0
  • SimpleSonic
    The htaccess file you showed does not appear to have anything "mailicious" in it. I think your host needs to be more specific as to what malicious activity is occurring to give you a better idea of what you should be looking for.
    0
  • RPmentor
    I think your host needs to be more specific as to what malicious activity is occurring to give you a better idea of what you should be looking for.

    I'll need to sign up for their security offering because I can see no other way that they'll remove the block on the website... as @quietFinn says (above), maybe there is some malicious code somewhere...!!!!!!!
    0
  • SimpleSonic
    I'll need to sign up for their security offering because I can see no other way that they'll remove the block on the website... as @quietFinn says (above), maybe there is some malicious code somewhere...!!!!!!!

    You shouldn't have to pay extra for a "security offering". Hosting providers that nickel and dime you for security/backups/SSL by referring to them as "addon services/products" should be avoided like the plague.
    0
  • cPRex Jurassic Moderator
    They should at least be able to tell you how they found the issue and point you in the right direction, such as to a specific webpage or file.
    0
  • RPmentor
    They should at least be able to tell you how they found the issue and point you in the right direction, such as to a specific webpage or file.

    This is certainly what I had hoped for, however, the support people probably do not have enough specialist knowledge to do more than recommend their security add-on which is provided by Sucuri at "5.99 pcm...
    0
  • RPmentor
    I think your host needs to be more specific as to what malicious activity is occurring to give you a better idea of what you should be looking for.

    What about the appended text file generated yesterday... is there anything suspicious in it, please...?
    0
  • SimpleSonic
    What about the appended text file generated yesterday... is there anything suspicious in it, please...?

    That appears to be nothing more than a session token and not malicious.
    0
  • ITHKBO
    Have you tried running the domain through ImunifyAV or is that not a option in your cPanel account? You can do a quickscan online at Sucuri from Sucuri Security These scans do not cost anything. That should give a indication if there is a url hijack going on. It can't find more obscure stuff without access to the site itself but if there are malicious redirects going on that is the first spot we always check for our clients. Make sure to scan per page.
    0
  • hgonzale3
    I am having the same issue, even in a Webpage that is only with HTML...... Many files created, emails created... How is this possible?
    0
  • cPRex Jurassic Moderator
    @hgonzale3 - If you only have access to cPanel, you'll have to work with your host to determine why there is a security issue on the account.
    0

Please sign in to leave a comment.