CPanel hacked
I thought CPanel was secure, but I guess I was wrong.
Suddenly, I find out that several of the user accounts have been hacked into where index.php has either been over written, or index.html has been placed, along with other malicious scripts...
Currently, load avg is sky high due to lots of exim procs. God knows what's running them all.
How do I go about finding out how it happened and securing the server?
The problem is not with cpanel. Hacks can occur from many different angles (insecure scripts, weak passwords, etc). You have to check how it occurred by reviewing the logs and then implement security features on your server (modsecurity, firewall, etc)
maybeee.. they got root access or something, I doubt it was a cpanel hack
The problem is, I am trying to block certain IP addresses by adding them to host access block but it doesn't seem to be working either
Just some friendly advise. Stop the mailserver(exim) and start purging the queue. Whom ever hacked it likely stocked it full of junk. You'll likely get blacklisted for sending all that garbage to boot.
As soon as you get the system under control put a stock exim configuration in place and start doing some security forensics. Determine the depth of the compromise, aka did they get root? Determine the state of your backups and act accordingly.
You should change all your account's FTP passwords and cPanel account passwords and/or contact a Security Advisor to perform a Security Audit.
:: Server Buddies ::
Server Management & Monitoring
.Dedicated Server Solutions At Affordable Rates.
LinkBack URL
About LinkBacks
Reply With Quote