The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Accounts secretly added....

Discussion in 'Security' started by medfordite, Apr 9, 2013.

  1. medfordite

    medfordite Member

    Joined:
    Dec 13, 2011
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    My issues never cease now, I apologize for this if it has already been covered, but I am just now recovering from a massive issue that hit a major client's site on my server and about 10 heated calls from them later.

    I had a call today from my angry client about their site being hijacked/replaced with a different one. So, I went in and looked, sure enough, it was hacked. Also, WHM was hacked somehow.

    My server used the following password (WHICH IS NOW CHANGED!) -
    so I know it isn't exactly easily hackable. (Brute Force Wise).

    The hacker(s) went in and added accounts which they later linked the client site to theirs. This, in turn was like a click jack I suppose and forced them offline. Inspecting the site's files for the client though, they all appeared the same. I went ahead and did about 3 rollbacks (from backup) to see if this would fix the issue, and it didn't. Finally, after poking around, saw the added sites, nuked them off the server and restored the site making a semi-happy customer.

    In further inspection, the hacker(s) put their email in the contact page for WHM so no account emails would come to me anymore nor, anything else like backup emails.

    I need to know how this is possible? I have CSF installed to a high security level and feel like this might have been a good way for starters.

    I don't think they could have exploited the password, but I might be wrong? I have increased the length to 36 chars now with more variances. FWIW - this is partly why, over the past year or so, I have quietly asked for a Yubikey solution, or Two-Factor authentication to help against this type of stuff. I don't know if it was an injection at this point though.

    For the goodies -

    Running 11.36.0 (build 2) and WHMCS V. 5.2.3 for the main interactions with the site. Yubikey authentication enabled on WHMCS for my account.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,456
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    If they got into WHM, your server is still compromised and not to be trusted I would think.
     
  3. medfordite

    medfordite Member

    Joined:
    Dec 13, 2011
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    infopro- tell me something I don't already know. :)

    I think I have narrowed it down (at least I hope) by them using Symlinks and doing some looking up exploits on Google to get that far. I went through easyapache since and have disabled Symlinks.
     
  4. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    They don't get in to your root WHM that way.

    CSF sends an email every time someone logs in to WHM or SSH as root. You should have got at least one email when they 1st logged in.
     
  5. medfordite

    medfordite Member

    Joined:
    Dec 13, 2011
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    True - however, the hacker changed the email somehow first so they would get the notifications. I believe through a script injection w/o logging in first.
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,456
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Resistance is futile? :)

    Reloading that server is probably your best way forward.
     
  7. hostrazor

    hostrazor Member

    Joined:
    Mar 28, 2013
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    i find that running an intensive clamav scan usually picks up malware used to root your servers; unless of course its a zeroday and then your pretty much stuck for having an insecure server anyway. I'd heavily check your logs and do some intensive scans or hire somebody to look into it if you would rather not reinstall.
     
  8. arunsv84

    arunsv84 Well-Known Member

    Joined:
    Oct 20, 2008
    Messages:
    373
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    127.0.0.1
    cPanel Access Level:
    Root Administrator
    Have you checked the cPanel access logs to make sure that the hacker was not able to access WHM as root ?

    As the password seems to be strong, the hacking could be related to a kernel exploit. Check it as well.

    As suggested by Infopro, if its a root compromise, reloading OS is the best option as we cant guarantee about the amount of damage that the hacker has made. You can never be 100 percent certain that you've repaired the system.

    Cheers!!!
     
Loading...

Share This Page