The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Constant hack attempts since the 16th of Feb

Discussion in 'Security' started by eter4, Feb 21, 2015.

  1. eter4

    eter4 Well-Known Member

    Joined:
    Feb 16, 2002
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    So my CPanel server has been under constant attack.

    Phishing sites are being reported on many of our customers sites. Once We clean up one another pops up.

    Here is what has been done to harden the server.

    Installed ModSecurity and recompiled Apache with the latest stable versions.
    Changed to RUid
    Installed CXS and ran scans to find many sites hacked and it was cleaned up.
    Installed the ConfigServer Firewall script to help manage the attempts and block the repeated attacks.
    Changed all reseller passwords and increased password complexity to 65
    Forced all clients to change passwords.
    Upgraded all scripts that were out of date using Softaculous.
    No users have SSH other than root and JailShell is enabled in case.

    Ran the security advisor in CPanel and made the appropriate corrections.

    Still they seem to be able to get it and make changes.

    I even terminated an account. Re-created it with a password of 13 random chars and just put a blank index.html page in the root and they were able to install the Dropbox script to upload files and setup a phishing site.....

    I'm getting at a loss for how these are happening. I'm probably overlooking something stupid.....

    Any suggestions would be greatly appreciated.
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Take a look around for symlinks that may have been created prior to your switching to RUID2. If you didn't have symlink protection in place prior, an attacker could have used one site to gain access to all the DB passwords in wp-config.php and similar files.

    If at all possible I would consider rolling the accounts themselves back using any available backups to a pre-compromised state. This is generally the best bet as getting everything under control now could be a daunting task depending what's going on.

    Other than that... you're not using WHMCS are you? You sure your kernel is up to date?
     
  3. eter4

    eter4 Well-Known Member

    Joined:
    Feb 16, 2002
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    Yeah I followed that document but apparently missed the checkmark in easyapache.

    I'm recompiling now to clean it all up.
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
  5. eter4

    eter4 Well-Known Member

    Joined:
    Feb 16, 2002
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
  6. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    I will suggest you please install Linux Malware Detect on your server and scan your all accounts through LMD
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You may want to try reviewing the domain access logs for the account that's exploited if it happens again to see if you can get a better idea of how it's happening.

    Thank you.
     
  8. shojib

    shojib Member

    Joined:
    Mar 31, 2014
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Sylhet, Bangladesh
    cPanel Access Level:
    Root Administrator
    Go to WHM>Tweak settings> Enable EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell.
    Or else your RUID2 will have no effect .
    Also you can try symlink race condition protection .

    And also , you can use Linux Malware Detect to cleanup malwares.

    Cheers,
    Shahriar
     
Loading...

Share This Page