Constant hack attempts since the 16th of Feb

[eter4]

So my CPanel server has been under constant attack.

Phishing sites are being reported on many of our customers sites. Once We clean up one another pops up.

Here is what has been done to harden the server.

Installed ModSecurity and recompiled Apache with the latest stable versions.
Changed to RUid
Installed CXS and ran scans to find many sites hacked and it was cleaned up.
Installed the ConfigServer Firewall script to help manage the attempts and block the repeated attacks.
Changed all reseller passwords and increased password complexity to 65
Forced all clients to change passwords.
Upgraded all scripts that were out of date using Softaculous.
No users have SSH other than root and JailShell is enabled in case.

Ran the security advisor in CPanel and made the appropriate corrections.

Still they seem to be able to get it and make changes.

I even terminated an account. Re-created it with a password of 13 random chars and just put a blank index.html page in the root and they were able to install the Dropbox script to upload files and setup a phishing site.....

I'm getting at a loss for how these are happening. I'm probably overlooking something stupid.....

Any suggestions would be greatly appreciated.

 

[quizknows]

Take a look around for symlinks that may have been created prior to your switching to RUID2. If you didn't have symlink protection in place prior, an attacker could have used one site to gain access to all the DB passwords in wp-config.php and similar files.

If at all possible I would consider rolling the accounts themselves back using any available backups to a pre-compromised state. This is generally the best bet as getting everything under control now could be a daunting task depending what's going on.

Other than that... you're not using WHMCS are you? You sure your kernel is up to date?

 

[eter4]

Yeah I followed that document but apparently missed the checkmark in easyapache.

I'm recompiling now to clean it all up.

 

[quizknows]

I'm pretty sure you don't need the "symlink race condition protection" patch if you're using RUID2.

https://forums.cpanel.net/f185/solutions-handling-symlink-attacks-202242-p23.html#post1397221

 

[eter4]

I'm pretty sure you don't need the "symlink race condition protection" patch if you're using RUID2.

https://forums.cpanel.net/f185/solutions-handling-symlink-attacks-202242-p23.html#post1397221

I thought so to.

But it keeps happening. So I have recompiled with the new Symlink protection within Apache and it seems to be ok.

only time will tell.

Now I have to go clean up a few hundred accounts.

 

[24x7server]

Hello,

I will suggest you please install Linux Malware Detect on your server and scan your all accounts through LMD

 

[cPanelMichael]

Hello

You may want to try reviewing the domain access logs for the account that's exploited if it happens again to see if you can get a better idea of how it's happening.

Thank you.

 

[shojib]

Go to WHM>Tweak settings> Enable EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell.
Or else your RUID2 will have no effect .
Also you can try symlink race condition protection .

And also , you can use Linux Malware Detect to cleanup malwares.

Cheers,
Shahriar