Account compromised can't delete files

dmcsatl

• November 20, 2014 15:27

I saw a few threads on this put nothing there helped me. I saw that one of my accounts were compromised causing high server loads. I find some files such as in a new directory "log" with the file "error.php". I tried deleting it but it keeps reappearing. Meaning I run the rm -rf error.php command under root, then it appears the file to be removed but then I run ls -l and the file is back. I tried "chown", "chmod", chattr -i, etc. nothing seems to work. the output for chattr -i is "-----------e" not sure what that means Cpanel is not working either.

• 

  24x7ss

  • November 21, 2014 12:07

  Hello:) I would suggest you to check the logs for the root cause of these files getting uploaded repeatedly. I suspect these files are getting uploaded using POST method and there must a file under that account using which these files are getting uploaded. You may also want to check FTP logs and cPanel access logs even though the panel is not working.

  0
• 

  cPanelMichael

  • November 21, 2014 14:57

  Hello :) I highly suggest consulting with a qualified system administrator or security specialist if you are not sure how to proceed. Forum posts will offer some help, but it's no substitute for a full investigation of the account or an audit of the overall security of your system. Thank you.

  0

Please sign in to leave a comment.