Skip to main content

Couple of files changed in public_html

Comments

6 comments

  • rbairwell

    I would take the timestamps of the changed files and then look at the Apache access files for around that time (+/- 10 minutes usually). I'm 99% certain you'll see something like POST /xxx/xxxx?action=run&command=fetch as most exploits are through web apps.

    0
  • barbarian86

    found out where it happened, now just to find out how. It's the .well-known folder in the public_html.

    0
  • barbarian86

    Did someone experienced index.html, sitemap.xml, and robots.txt files in here? Thanks

    0
  • cPRex Jurassic Moderator

    Is there data in that directory besides the acme-challenge and pki-validation folders?  That directory is used for the AutoSSL system so it's normal for those files to change automatically, but if there are non-AutoSSL files in there that would be cause for concern.

    0
  • barbarian86

    yes there is some data, index page, robots,txt, and couple other files apart from the pki-validation folder. But no trace how they would be uploaded there. 

    0
  • cPRex Jurassic Moderator

    It's possible the user accessed cPanel and used the File Manager tool, so you'd see a log in /usr/local/cpanel/logs/access_log with more details from around the same time as the timestamp on the files.

    0

Please sign in to leave a comment.