Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Continual non valid log ins

Discussion in 'Security' started by Laura Jarbeau, Jul 23, 2017.

  1. Laura Jarbeau

    Laura Jarbeau Registered

    Joined:
    Jul 23, 2017
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United States
    cPanel Access Level:
    Reseller Owner
    Background: Created many websites for dog breeders nearly 12 years ago and began reselling hosting with NO ISSUES until this past year. These dog breeders were all friends, I have no outside clients. Now host 60 sites for "friends", All minor websites with basic HTML with only 3-5 hosting any WP script or other softaculous script. Scripts are kept up to date

    After 12 years with the same host as a reseller - I began having issues with New files being added for phishing websites

    I have scanned local computers with norton and malwarebytes repeatedly
    I've changed client passwords and host passwords

    Assuming it was a server side issue - I moved hosts, I'm still having issues

    I have set all accounts to FORCE PASSWORD CHANGE via WHM

    The password modifications come for ALL accounts whether html sites or WP sites

    I've blocked MANY IP addresses, new IP's invade daily

    Password Change Notifications read like this generally


    You have successfully updated your password for the following services:

    • ftp
    • mail
    • MySQL
    • postgresql
    • system
    • webdisk (digest)
    If you initiated this change, disregard this email. If you did not initiate this change, contact your system administrator.

    This notice is the result of a request made by a computer with the IP address of “105.105.54.231” through the “cpanel” service on the server.

    The remote computer’s location appears to be: Algeria (DZ).

    The remote computer’s IP address is assigned to the provider: “ADSL BATNA Algerie Telecom”

    The remote computer’s network link type appears to be: “generic tunnel or VPN”.

    The remote computer’s operating system appears to be: “Windows” with version “7 or 8”.

    The system generated this notice on Sunday, July 23, 2017 at 8:18:29 AM UTC.


    I have exhausted everything my host has suggested I do - including setting up Cloudflare

    Does anyone have any guidance for a green reseller?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,419
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
  3. Laura Jarbeau

    Laura Jarbeau Registered

    Joined:
    Jul 23, 2017
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United States
    cPanel Access Level:
    Reseller Owner
    Thank you
    Not all sites that are attacked are Wordpress sites

    Would the sites with wordpress allow access to non wordpress?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,419
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    It's not likely, but it's difficult to know for sure without root access to the server to review the Apache access logs. I recommend reaching out to your hosting provider to see if there's any more information they can provide you regarding the attack.

    Thank you.
     
Loading...

Share This Page