Skip to main content

Account Compromised

webfyr
I have an empty account that got random PHP-files last two days. The only thing the account was used for, was redirecting visitors (a index.shtml) file only. So the /public_html contained only one file. So, there was no PHP-scripts on any files on the web-area that could have been hacked. I'm using CageFS as well, so no other account should be responsible. The uploaded files has correct owner/group for the account. The uploaded files has been used in emails (links to PHP-files they have uploaded). I removed the dir just to test and then they was able to upload again. The only method that this should work, is if they have guessed the password and uploaded content. But I don't find anything in the logs to support that? What could possible be the cause of this or how can I best go forward? If the home-area had any script-files, I would just assume the scripts has security holes. But luckily in this case, there was none. So that narrows it down a bit. [LIST]
  • CLOUDLINUX 7.3 x86_64 standard
  • cPanel & WHM 64.0 (build 18)

    • Comments

    2 comments

    Date Votes
    • webfyr
      Update: I found that it was in fact used FTP to login. So somehow, they knew that info.
      0
    • Infopro
      how can I best go forward?

      Change the account password and setup Two Factor Authentication would help for starters.
      0

    Please sign in to leave a comment.

    Didn't find what you were looking for?

    New post