Account Compromised via FTP Access
Im hoping somebody can advise me on this situation, i have recently given somebody FTP access to an account on my VPS, who seems to have uploaded some malicious codes to the server, I have deleted most of it and performed numerous system scans using Maldetect through SSH however I am left with a folder in this directory which seems to be a shortcut into the main cpanel directory as I can see files such as 'abrt, adm, bin, clamav, cpanel etc and folders containing other account information mapped to other domain names. I was going to delete the whole directory, but i noticed that the permissions of these files are set to read, write and execute by EVERYBODY including world.
Can anybody advise me on how to check if the main cpanel files are configured correctly with the right permissions?
-
Hello :) Could you provide an example of a file with permission/ownership values you think are invalid? Note that you should likely terminate the account if you determine it was used for malicious purposes. Thank you. 0 -
Hello! thanks for your reply, Inside the folder in question (which is a folder that has been created in public html directory for a website in a specific account) There are these files which are text/x-generic, although when i click edit, there is nothing there. cpanel cpaneleximfilter cpaneleximscanner cpanelhorde cpanellogaholic cpanellogin cpanelphpmyadmin... daemon dovecot... nobody, ntp operator postfix root saslauth shutdown sshd sync tcpdump uucp. vcsa...the list goes on. The other folders in here also are accounts that have been created for other domain names and are httpd/unix-directory - agian when i click on these there is nothing inside, even though the actual accounts do have contents e.g full websites. These are the files which I am worried, are linked to my cPanel and they all have the permissions set to 0777 which seems kind of scary, also, when I try to change the permissions, it does not work, changes straight back to 777. The owner is just root currently. Many thanks 0 -
Are you sure these are files and not symbolic links? Have you checked via SSH or are you using File Manager? Thank you. 0 -
.vB Hi, Im really not sure if they are just links, it is very odd.. I have uplodaded a screen shot to show you what I mean. Im using the file manager to view this. I have to say also, that I only found this folder while i was doing a back-up to my pc. My antivirus prompted a threat, (a backdoor trojan) originating from the directory they had access to. So when I went to take a look, there were various scripts in there.. Im not very experienced with php but i found references to webroot hack tools, quotes 'you have been hacked', profanity words etc. I opened one shtml file in my browser which led me to the WHM login screen. Very confusing and frustrating :/ Im doing my best to make sure my system is secure, but I just cant seem to get my head around this directory and why it seems like there is a window into the actual control panel from this account.. Thank you for your help Amber 0 -
It's likely a better idea to review the directory listing via SSH. Also, I suggest consulting with a qualified system administrator if you are concerned about the security of your system. Thank you. 0
Please sign in to leave a comment.
Comments
5 comments