Skip to main content

Account Compromised via FTP Access

Comments

5 comments

  • cPanelMichael
    Hello :) Could you provide an example of a file with permission/ownership values you think are invalid? Note that you should likely terminate the account if you determine it was used for malicious purposes. Thank you.
    0
  • ambersabre
    Hello! thanks for your reply, Inside the folder in question (which is a folder that has been created in public html directory for a website in a specific account) There are these files which are text/x-generic, although when i click edit, there is nothing there. cpanel cpaneleximfilter cpaneleximscanner cpanelhorde cpanellogaholic cpanellogin cpanelphpmyadmin... daemon dovecot... nobody, ntp operator postfix root saslauth shutdown sshd sync tcpdump uucp. vcsa...the list goes on. The other folders in here also are accounts that have been created for other domain names and are httpd/unix-directory - agian when i click on these there is nothing inside, even though the actual accounts do have contents e.g full websites. These are the files which I am worried, are linked to my cPanel and they all have the permissions set to 0777 which seems kind of scary, also, when I try to change the permissions, it does not work, changes straight back to 777. The owner is just root currently. Many thanks
    0
  • cPanelMichael
    Are you sure these are files and not symbolic links? Have you checked via SSH or are you using File Manager? Thank you.
    0
  • ambersabre
    .vB Hi, Im really not sure if they are just links, it is very odd.. I have uplodaded a screen shot to show you what I mean. Im using the file manager to view this. I have to say also, that I only found this folder while i was doing a back-up to my pc. My antivirus prompted a threat, (a backdoor trojan) originating from the directory they had access to. So when I went to take a look, there were various scripts in there.. Im not very experienced with php but i found references to webroot hack tools, quotes 'you have been hacked', profanity words etc. I opened one shtml file in my browser which led me to the WHM login screen. Very confusing and frustrating :/ Im doing my best to make sure my system is secure, but I just cant seem to get my head around this directory and why it seems like there is a window into the actual control panel from this account.. Thank you for your help Amber
    0
  • cPanelMichael
    It's likely a better idea to review the directory listing via SSH. Also, I suggest consulting with a qualified system administrator if you are concerned about the security of your system. Thank you.
    0

Please sign in to leave a comment.