Adding accounts without logging into WHM - hacked?

C

craigwillis

Registered
May 20, 2010
2
0
51
Hi

I have just noticed and deleted 2 accounts that have been created in my WHM install.

Someone has managed to add these accounts to point to known spam sites.

What I'd like to know, is how this could happen, especially if they have no access to WHM via logging in as root?

Also, how I can prevent this from happening in future?

I have changed the root password to the server for added security,
 
E

eth00

Well-Known Member
PartnerNOC
Mar 30, 2003
721
1
168
NC
cPanel Access Level
Root Administrator
Did you by chance try to search the logs or do anything before deleting them? You could have checked what time the account was created (based on timestamps of the home dir files) and then cross check the logs to see what exactly happened.
 
J

JaredR.

Well-Known Member
Feb 25, 2010
1,834
27
143
Houston, TX
cPanel Access Level
Root Administrator
/usr/local/cpanel/logs

The directory /usr/local/cpanel/logs contains several logs that can be very useful.

access_log logs all access to the WebHost Manager and cPanel. It is very verbose, with source and destination IP addresses, timestamps, and the exact URLs requested. It is in an Apache-style format.

error_log logs errors that occur in cPanel-related services.

login_log logs logins to the WHM, cPanel and Webmail.

There is no provision for viewing these logs via the WebHost Manager. They must be viewed using the shell as root, using cat or less or grep.
 
Spiral

Spiral

BANNED
Jun 24, 2005
2,018
8
193
Someone has managed to add these accounts to point to known spam sites.
Click to expand...
That statement alone tells me that you have been root compromised

First thing I would do is change all your passwords and perform full anti-virus and trojan scans on your home computer just for safety though none of that in and of itself may help too much at this point.

The compromise could have come in from a wide variety of sources from an exploit to stealing your own root password to brute force attack but the larger issue is that your server at this point has indeed been compromised and I would be willing to bet they did a lot more than just create accounts.

Standard modus operandi for hacking is once you gain access to a server is to create multiple backdoor ways back into the server and cover your tracks modifying log traces to evade quick detection.

You have accounts mysteriously appearing and also being used for what you described then you have a very serious problem and at this point very likely have rootkits and other hacker related processes installed that you still don't know about.

If you are extremely lucky, all they did is created the accounts but I very seriously doubt that is all that has been done. :rolleyes:
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
A Adding IP to Host Access Control Security 1
C CPanel accounts getting attacked by the same person whom is resetting zone file and adding their own records. Security 3
P Adding cPanel User for sudomain webmaster Security 3
verdon SOLVED LDAPS and adding new CA to trust store Security 2
G Adding to CSF's Temporary Deny via PHP Security 2
Similar threads
Adding IP to Host Access Control
CPanel accounts getting attacked by the same person whom is resetting zone file and adding their own records.
Adding cPanel User for sudomain webmaster
SOLVED LDAPS and adding new CA to trust store
Adding to CSF's Temporary Deny via PHP
Top Bottom