Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Compromised site issue?

Discussion in 'Security' started by MarceloKonrath, Jan 17, 2018.

  1. MarceloKonrath

    MarceloKonrath Active Member

    Joined:
    Jun 8, 2013
    Messages:
    30
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Hello

    My server is being accused of allowing hacks to brutal force on other servers.

    php 820334 cortona 3u IPv4 43849405 0t0 TCP xxx.xxx.xxx.xxx:53047->192.151.xxx.xxx:80 (SYN_SENT)
    php 820352 cortona 3u IPv4 43849621 0t0 TCP xxx.xxx.xxx.xxx:53059->192.151.xxx.xxx:80 (SYN_SENT)

    But as if the doors are locked?

    Any suggestion ?


    Allow incoming TCP ports
    20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,26,3306

    Allow outgoing TCP ports
    20,21,22,25,37,43,53,80,110,113,443,587,873,2086,2087,2089,2703,993,465,3306

    Allow incoming UDP ports
    20,21,53,3306

    Allow outgoing UDP ports
    20,21,53,113,123,873,6277,3306

    Thank you
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,009
    Likes Received:
    87
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    Because the DST port is 80 it's allowed out. I don't recommend blocking that either, as it will cause problems.

    What you need to do is find a system administrator to examine running processes. You may be able to use things like netstat, tcpdump, or lsof, but this assumes the malicious activity is ongoing.

    Most likely clamav or maldet will also turn up your infected account(s) but it is no guarantee. But if the activity has ceased or is not constant this might be the best start.
     
    cPanelMichael likes this.
  3. MarceloKonrath

    MarceloKonrath Active Member

    Joined:
    Jun 8, 2013
    Messages:
    30
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Thank you very much for your reply

    In the meantime I work with shared servers. There are about 5,000 hosted websites and this means that many will still be hacked to this end .

    Your suggestion is great if I had 1 site on the server and not for shared servers since hacks on sites will happen every day since security holes are discovered every day.




     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,516
    Likes Received:
    1,616
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You may want to consider using a third-party application if manually handling this task is outside the scope of what you can do on your own. CloudLinux offers a new product you may find useful (with a free 30-day trial):

    Imunify360 - Keeps Your Web Servers Safe

    Thank you.
     
    quizknows likes this.
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,009
    Likes Received:
    87
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    I work in shared hosting too. Just because you see millions of inbound port 80 connections doesn't mean you can't find this from running processes. Connections OUT to port 80 are much more rare even with tons of users.

    If you cannot find this, find or hire someone who can. I don't say this to be rude.

    I really like companies like Sucuri or Site Lock if you cannot actively manage hacks yourself.
     
Loading...

Share This Page