PHP Script spamming using Cpanel User

mythosisnz

• October 29, 2013 04:28

Hi all, My company hosts 4 servers all running Apache cPanel/WHM. I have alerts set up to email us when a cPanel account is spamming. 3 Days ago I got a notification that an account was spamming and I am having trouble taming this beast ever since. I have suspended the account while I work. I have used config server to scan and remove the scripts but they keep coming back when i unsuspend. All directory permissions and file permissions are correct at 755 and 644 respectively. They are being placed in the /images/ folder of and old Joomla 1.7 CMS. As I couldn't manage to get the client to upgrade I am stuck trying to fix this issue. I cant stop the scripts from being uploaded so I have tried adding a .htaccess to this folder to stop php scripts from running from here and it didnt work. (long shot i know) :) I have tried adding hourly limits to the domain but this didn't work as I believe suPHP is sending the Emails from the cpanel@serverhost user. I am running configserver mailscanner FE which usually is pretty good as blocking these beastys but it seems these phishing emails are getting through. I have searched a number of forum posts here and I am quickly running out of ideas. Can anyone suggest how I should proceed. tldr; Old CMS is having scripts uploading to the images folder which I cant stop (only remove manually) and the cpanel@hosting user is spamming from these script which I cant limit using WHM? Any solutions or suggestions would be gratefully received.

• 

  Infopro

  • October 29, 2013 09:31

  [QUOTE]They are being placed in the /images/ folder of and old Joomla 1.7 CMS. As I couldn't manage to get the client to upgrade ...
  He should be forced to update, or move.

  0
• 

  mythosisnz

  • October 29, 2013 10:07

  I know but actually he is a she and its a kids activity website with all kinds of components hanging off it, it would be too expensive for her to upgrade to joomla 3.0+. I was hoping there would be something I hadn't thought of server side that would allow us to keep her site up and not spam. Can i limit/disable the cpanel email account? - This will stop all mail being sent from the site but its better than our server being added to a spam list. Or anything else I hadn't thought of? I was really hoping my php_flag engine off in htaccess would work.

  0
• 

  quietFinn

  • October 29, 2013 10:19

  [quote="mythosisnz, post: 1492902">They are being placed in the /images/ folder of and old Joomla 1.7 CMS.
  This sounds like an old vulnerable JCE editor. Check in file (JOOMLAROOT)/plugins/editors/jce/jce.xml you see like: 1.5.x.y when it should be like: 2.3.3.2

  0
• 

  mythosisnz

  • October 29, 2013 12:29

  Thanks for reminding me quietFinn! I will check it first thing tomorrow!

  0
• 

  mythosisnz

  • October 31, 2013 07:20

  [quote="quietFinn, post: 1492931">This sounds like an old vulnerable JCE editor. Check in file (JOOMLAROOT)/plugins/editors/jce/jce.xml you see like: 1.5.x.y when it should be like: 2.3.3.2
  TY sir!, seems to have done the trick. Removed JCE and XMAPP so far so good.

  0

Please sign in to leave a comment.