Account Continually Compromised Problem

Steven Katz

Registered
Nov 11, 2018
2
0
1
Israel
cPanel Access Level
Website Owner
Forum,

I seek help to resolve a security issue that seems to be coming from some unknown back door into my .cpanel

I was initially breached 10 days ago, likely via a Wordpress site, that loaded a number of scripts that impacted by site, email, DNS, and more. After cleaning up and changing passwords, the attack continued, forcing me to take the sites down. With that change not successful, I removed all the DNS entries except for email (which I needed to keep up), again changing all passwords, and the issue still continues. Scans from the host (Bluehost) come up "clean" for malware.

I notice when changes are made (adding folders to my file server), there are also file changes in the .cpanel. There are no logins in the logs, so this is not via the front door. Websites are unreachable, so its not via those URLs. I have asked my host (Bluehost) to "clean install" my cpanel -- which they claim can't be done. Before I move everything to a new host (seems to be the only available solution - open to recommendations), I'd like to open this to the forum.

Thanks!

Steve
 

Steven Katz

Registered
Nov 11, 2018
2
0
1
Israel
cPanel Access Level
Website Owner
Perhaps there is a "Golden Version" of the /.cpanel folder with a list of files and file sizes that I can compare to the existing install? This way I can delete anything not in the "Golden Version" and anything that doesn't match the file size I can review? I'm not a security expert, merely the most technically knowledgeable in our small business.

Open to all suggestions. Thanks!
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
Hello @Steven Katz


It sounds as though the issue wasn't completely cleaned up or the source of the issue wasn't actually found. There are a few really great guides for cleaning Wordpress compromises from WordPress themselves as well as a couple of the forerunners in WordPress Security:

FAQ My site was hacked « WordPress Codex
How to Clean a Hacked WordPress Site - Sucuri Guide
How to Clean a Hacked WordPress Site using Wordfence - Wordfence

What I would suggest doing if you're unable to find the source of the issue is to enlist the assistance of a qualified system administrator. If you don't have one you might find one here: System Administration Services | cPanel Forums

It's pretty normal for the information in /home/$user/.cpanel to change periodically especially since a lot of cached data is stored in its subdirectories. It'd be really difficult to provide you with a known good copy as it wouldn't necessarily be good for you and definitely wouldn't be useful for comparison. Data in .cpanel is regenerated quite frequently.