We’ve finished disinfecting his site… Original hack sometime early October, 2018. Several species of malware included on the site since then by miscreants. Latest malware was a banking/phishing set to capture bank/PayPal signins from the unwary. Directory-by-directory search showed a few more lurking back-doors (now removed), and the main site is now clean.
The original hack was unlikely to come from an external HTTP access (no evidence of that in the logs) – my guess is that either
- another site on the same server was compromised and loose permissions allowed files to be saved in his document root, or
- a vulnerability in cPanel allowed upload access to unauthenticated users or
- the webserver was root-kitted back then and not detected for long enough for the miscreants to plant malware seeds on many sites on the webserver
We’ll never know just how the initial compromise happened as no available logs point to a cause.
Thanks Ken… I cannot thank you enough for your help !!! Much appreciated
I was pleased to help debug the malware infection issues… exercised my old ‘defense-against-the-dark-arts’ skills
Best regards,
Ken