Constant hack attempts since the 16th of Feb

eter4

Well-Known Member
Feb 16, 2002
56
0
306
So my CPanel server has been under constant attack.

Phishing sites are being reported on many of our customers sites. Once We clean up one another pops up.

Here is what has been done to harden the server.

Installed ModSecurity and recompiled Apache with the latest stable versions.
Changed to RUid
Installed CXS and ran scans to find many sites hacked and it was cleaned up.
Installed the ConfigServer Firewall script to help manage the attempts and block the repeated attacks.
Changed all reseller passwords and increased password complexity to 65
Forced all clients to change passwords.
Upgraded all scripts that were out of date using Softaculous.
No users have SSH other than root and JailShell is enabled in case.

Ran the security advisor in CPanel and made the appropriate corrections.

Still they seem to be able to get it and make changes.

I even terminated an account. Re-created it with a password of 13 random chars and just put a blank index.html page in the root and they were able to install the Dropbox script to upload files and setup a phishing site.....

I'm getting at a loss for how these are happening. I'm probably overlooking something stupid.....

Any suggestions would be greatly appreciated.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Take a look around for symlinks that may have been created prior to your switching to RUID2. If you didn't have symlink protection in place prior, an attacker could have used one site to gain access to all the DB passwords in wp-config.php and similar files.

If at all possible I would consider rolling the accounts themselves back using any available backups to a pre-compromised state. This is generally the best bet as getting everything under control now could be a daunting task depending what's going on.

Other than that... you're not using WHMCS are you? You sure your kernel is up to date?
 

eter4

Well-Known Member
Feb 16, 2002
56
0
306
Yeah I followed that document but apparently missed the checkmark in easyapache.

I'm recompiling now to clean it all up.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,883
2,256
463
Hello :)

You may want to try reviewing the domain access logs for the account that's exploited if it happens again to see if you can get a better idea of how it's happening.

Thank you.