The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Account hacked and suspended

Discussion in 'Security' started by pueblosnet, Feb 3, 2015.

  1. pueblosnet

    pueblosnet Active Member

    Joined:
    Dec 23, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    A few minutes ago, one of my accounts was suspended and it was showing an arab hack message. After checking, the "suspended web template" was changed. I revert to the default and unsuspend the account and this account it's working correctly now. I also changed the root password and see at the firewall that this IP was blocked:

    Time: Tue Feb 3 13:44:22 2015 +0100
    IP: 207.244.89.108 (US/United States/-)
    Failures: 5 (cpanel)
    Interval: 3600 seconds
    Blocked: Permanent Block

    Log entries:

    207.244.89.108 - root [02/03/2015:12:41:02 -0000] "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect

    I notified to abuse@leaseweb.com and sent a suppot ticket to get more help but, how was this hack done?

    • Anyother account was suspended
    • The last IP that logged correctly using the root account was a IP from cpanel support
    • Any rare command in "history"
    • Any strange running process

    What more can I check?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    It's difficult to pinpoint the specific vulnerability or exploit used by an attacker to hack your websites. One could speculate on common methods (e.g. symlink attack), but it really requires a qualified system administrator to investigate the logs on your server and determine the source of the attack. There is a thread here where a similar question is asked:

    Log Files To Check After Account Hacked

    Thank you.
     
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Changing the suspended template requires root or appropriate reseller access.

    If the cPanel account is owned by a reseller you may be in OK shape, but if the account is owned by root and someone managed to change that template, then your server should be considered compromised on a root level. You should migrate your sites to a new server with a clean OS installation and change all passwords.

    The account suspensions and template edit should be logged in the cPanel access log, unless the hacker erased the entries (which is possible with root access, but rarely is done).
     
  4. pueblosnet

    pueblosnet Active Member

    Joined:
    Dec 23, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    Thank you for your comments. cPanel support told me that they don't know what was, it's like the hacker know the root password. I'm double checking all but I didn't find nothing suspicious.
     
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Definitely dig deep in the logs

    Best advice I can give you for now, is to watch the cPanel access log (tail -f) in a terminal, and change the template yourself. You'll see the request structure like POST /whatever/?some_action=template_change

    The above is completely made up, but the point is, you'll have an entry with something defining in it. Adding e-mail acct's uses "addpop" and so on. Once you find that, then grep for that string in the log to see when the template was changed. With any luck you'll find the IP that was in there.

    If you do confirm unauthorized root access, again, the advice to migrate to a clean system is really the best bet.
     
Loading...

Share This Page