Breached cPanel - multiple logged logins even with 2FA enabled

Operating System & Version
CentOS
cPanel & WHM Version
104

dorianc

Registered
Jul 24, 2022
2
1
3
Ri
cPanel Access Level
Root Administrator
Hi everyone,

I have a problem that I've never experienced before, having years of experience with cPanel and various application attacks as I work in the web security domain mostly. The attacker is constantly creating phishing pages in the /public_html. I'm going mental for days and can't find the source or a direct point of breach.

2-FA is enabled on all cPanel accounts.
ModSec is on with the standard rules.
Only one account out of 4 is compromised.
The only application on that cPanel account is WordPress.
Domain and web server logs have no records on the IP prior to the cPanel login.

I've been tracking logs like crazy - and they all point that the attacker simply comes to the login page and - logs in, even with 2FA enabled. Then he simply navigates with File Manager to edit the files he needs.

/usr/local/cpanel/logs/session_log:[2022-07-22 22:17:08 +0000] info [cpaneld] 181.214.165.82 NEW USERNAME:kFas7oPpoXNXaoBw address=181.214.165.82,app=cpaneld,creator=USERNAME,method=handle_form_login,path=form,possessed=0

Any tips, help, suggestions would be more than welcome.
 
Last edited:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
11,667
1,853
363
cPanel Access Level
Root Administrator
Hey there! This issue might be better handled through a ticket so we can actually see the server and ensure no compromise on the server side is helping this happen. If you are able to make a ticket, please post the number here so I can follow along.
 

dorianc

Registered
Jul 24, 2022
2
1
3
Ri
cPanel Access Level
Root Administrator
I went with Host Access Control by allowing only the owner's static IP to the cPanel access. This should lock it down completely. Common sense applies that WP plugin or theme is vulnerable to some kind of an attack - but the logs are stating a completely opposite situation as the cPanel login page is accessed first by the attacker - there's absolutely no trace of any kind of exploit or vulnerability attack in the web server logs. Restricting cPanel access to one IP should patch it up temporarily.
 
  • Like
Reactions: cPRex