The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Brute Force Attacks Against cPanel

Discussion in 'General Discussion' started by ApparentMedia, Aug 4, 2015.

  1. ApparentMedia

    ApparentMedia Registered

    Aug 4, 2015
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    I've been running web servers with cPanel for many years, and recently have noticed a number of brute force attacks against cPanel and accounts.

    I started noticing this a few months back, when a couple domains I manage on the server started sending out email Password Change Notifications to me to let me know cPanel received a password reset request and has sent out a new password. I thought maybe I had a weak password on those domains, so I changed the password, cleaned up the hacks and moved on.

    Today, I was going through a clients domain to clean up a hack, and noticed that the account had a list of all users in /home/* in a folder of hack attempts to common content management and shopping cart programs.

    One of the scripts in the users directory was, of course encoded. After decoding the script the title of the exploit was called "CPanel Bruteforce | S4MP4H", and upon examining the file, it looks as though its meant to scan the server for exploits and enact on them.

    However, the user in question is jailshelled, so im curious as to how the script was able to find a list of other users on the server?

    Has anyone else noticed exploits towards their server, specifically attacking cPanel, its scripts and API's to initiate password resets, create sub domains, and what appears to be a break out of jailshell?


  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Hello :)

    Are you positive it was a list of all user accounts, or is it possible the usernames were associated with cPanel services? I could not reproduce the listing of any other account usernames from the jailshell environment on a test machine.

    Thank you.

Share This Page