My issues never cease now, I apologize for this if it has already been covered, but I am just now recovering from a massive issue that hit a major client's site on my server and about 10 heated calls from them later.
I had a call today from my angry client about their site being hijacked/replaced with a different one. So, I went in and looked, sure enough, it was hacked. Also, WHM was hacked somehow.
My server used the following password (WHICH IS NOW CHANGED!) -
The hacker(s) went in and added accounts which they later linked the client site to theirs. This, in turn was like a click jack I suppose and forced them offline. Inspecting the site's files for the client though, they all appeared the same. I went ahead and did about 3 rollbacks (from backup) to see if this would fix the issue, and it didn't. Finally, after poking around, saw the added sites, nuked them off the server and restored the site making a semi-happy customer.
In further inspection, the hacker(s) put their email in the contact page for WHM so no account emails would come to me anymore nor, anything else like backup emails.
I need to know how this is possible? I have CSF installed to a high security level and feel like this might have been a good way for starters.
I don't think they could have exploited the password, but I might be wrong? I have increased the length to 36 chars now with more variances. FWIW - this is partly why, over the past year or so, I have quietly asked for a Yubikey solution, or Two-Factor authentication to help against this type of stuff. I don't know if it was an injection at this point though.
For the goodies -
Running 11.36.0 (build 2) and WHMCS V. 5.2.3 for the main interactions with the site. Yubikey authentication enabled on WHMCS for my account.
I had a call today from my angry client about their site being hijacked/replaced with a different one. So, I went in and looked, sure enough, it was hacked. Also, WHM was hacked somehow.
My server used the following password (WHICH IS NOW CHANGED!) -
so I know it isn't exactly easily hackable. (Brute Force Wise).
The hacker(s) went in and added accounts which they later linked the client site to theirs. This, in turn was like a click jack I suppose and forced them offline. Inspecting the site's files for the client though, they all appeared the same. I went ahead and did about 3 rollbacks (from backup) to see if this would fix the issue, and it didn't. Finally, after poking around, saw the added sites, nuked them off the server and restored the site making a semi-happy customer.
In further inspection, the hacker(s) put their email in the contact page for WHM so no account emails would come to me anymore nor, anything else like backup emails.
I need to know how this is possible? I have CSF installed to a high security level and feel like this might have been a good way for starters.
I don't think they could have exploited the password, but I might be wrong? I have increased the length to 36 chars now with more variances. FWIW - this is partly why, over the past year or so, I have quietly asked for a Yubikey solution, or Two-Factor authentication to help against this type of stuff. I don't know if it was an injection at this point though.
For the goodies -
Running 11.36.0 (build 2) and WHMCS V. 5.2.3 for the main interactions with the site. Yubikey authentication enabled on WHMCS for my account.
