I have a client that in the past I happened to stumbled upon a cgi script that appeared to be malicious. I only caught it because there were multiple processes running it and it was loading down the server. I gave the client the benefit of the doubt and told him that the problem script had been removed and not to upload it again. It has been almost a year and I have not noticed any problems. Until he emailed me with some ftp problems. Upon investigating his problem I came across several log ftp files of test.php and test2.php scripts being uploaded. Those file are not anywhere on his account. As a matter of fact, he has a handful of addon domains and there are no files at all in any of the public_html folders. He doesn't even have any file in any of the ftp folders. Call me paranoid, but I am not sure what is going on, but I have a feeling it can't be good. I went back and checked his billing information, which he has never missed a payment, and found that his billing address was California, his IP on record during registering is from Austrailia and that the IP recorded in cPanel from last login is from India. What I would like to do is be able to monitor his account for uploading of any php, cgi or pl files and make a copy of them to another folder for reviewing its contents later. Maybe a cronjob that scans his folders and copies such files to another location. The problem is that I have no idea of when the scripts will be uploaded and then removed from his account. Any suggestions would be great.
Rick
Full Version: How to monitor for uploading of malicious scripts
Get rid of him...
I would have stopped right there.....
QUOTE
his billing address was California, his IP on record during registering is from Austrailia
I would have stopped right there.....
QUOTE (DougK94 @ Jul 12 2007, 12:56 PM) 
Get rid of him...
I would have stopped right there.....
I would have stopped right there.....
QUOTE
his billing address was California, his IP on record during registering is from Austrailia
My bad. I went back to verify and the link from within WHMautopilot, which takes you to dnsstuff.com's NetGeo, comes back with, COUNTRY: AU
But when I go directly to dnsstuff.com and do a IP Information search, it comes back as California. Not for sure why the discrepancy.
Still strange that there are no files in his account.
-Rick
QUOTE (pagehosting4u @ Jul 12 2007, 06:27 PM)
My bad. I went back to verify and the link from within WHMautopilot, which takes you to dnsstuff.com's NetGeo, comes back with, COUNTRY: AU
But when I go directly to dnsstuff.com and do a IP Information search, it comes back as California. Not for sure why the discrepancy.
Still strange that there are no files in his account.
-Rick
But when I go directly to dnsstuff.com and do a IP Information search, it comes back as California. Not for sure why the discrepancy.
Still strange that there are no files in his account.
-Rick
He could just be using the server as a test bed for php scripts. Once the testings done, he deletes the files.
Id still keep an eye on it though
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.