All Site passwords changed

wstream

Registered
Dec 4, 2013
2
0
1
cPanel Access Level
Root Administrator
Hi All

I need some info and help

We have a dedicated server witha handfull of joomla sites and 1 wordpress site.

last night we had the wordpress site hacked.

As a result all other sites that are joomla had their user table - user passwords chaged and privelages changed to superadmin.

Whats puzzling me is how they were able to change passwords on other databases in the same server.

At worst they could have got hold of the DB password for the wordpress database but not the others.

so how would they have changed the data on the other db's

In order to protect against this happening again ill need to determin the route taken.

Any help or pointers greatly appreciated.

Thanks

Ash
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
You got hit with a symlink hack.

http://forums.cpanel.net/f185/solutions-handling-symlink-attacks-202242.html

In short, a hacker can use a default cPanel/WHM/Apache setup to get read access to everyones configuration.php files. With that they have all the SQL usernames/passwords to change the admin tables.

I suggest cloudlinux with securelinks, or at least SuPHP with the EasyApache "Symlink Race Condition" protection.
 

wstream

Registered
Dec 4, 2013
2
0
1
cPanel Access Level
Root Administrator
Hi Michael - thanks for the move

Quizknows - thanks for the reply - yup looks like thats what happened - have applied RUID2 and JailShell

Thanks again guys

Ash