The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cpanel Account Hacked

Discussion in 'Security' started by Svemir, Feb 15, 2016.

  1. Svemir

    Svemir Registered

    Joined:
    Nov 15, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Belgrade, Serbia, Serbia
    cPanel Access Level:
    Root Administrator
    Got this mail today. First time i see something like this. I have server with multiple cpanel account. Attached backup log. What happened here?? Changed domain name with xxxxx.
    Can someone shed some light here? Thanks!
    Code:
    A full backup has completed and is available for download.
    You can access a list of locally-stored backups via cPanel’s “Backups” interface:
    cPanel > Backup > Download a Full Website Backup
    
    The backup file is named “backup-2.15.2016_07-27-20_xxxx.tar.gz”
    The server saved the backup file in the “/home/username/” directory.
    The raw log file is attached to this email.
    
    This notice is the result of a request made by a computer with the IP address of “XXXXXXXX” through the “fullbackup” service on the server.
    The remote computer’s location appears to be: Pakistan (PK).
    The remote computer’s IP address is assigned to the provider: “”
    The provider supplied the following remarks about the IP address allocation: “-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ To report network abuse, please contact the IRT For troubleshooting, please contact tech-c and admin-c For assistance, please contact the APNIC Helpdesk -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+”
    The remote computer’s network link type appears to be: “generic tunnel or VPN”.
    The remote computer’s operating system appears to be: “Windows” with version “7 or 8”.
    This notice was generated “Monday, February 15, 2016 1:36:28 PM UTC”.
    You can disable the “Backup Failure” type of notification through the cPanel interface:
    
    Do not reply to this automated message.
    -------------------------------------------------------------------------
     

    Attached Files:

    #1 Svemir, Feb 15, 2016
    Last edited by a moderator: Feb 15, 2016
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,808
    Likes Received:
    667
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Could you elaborate on why this suggests a hacked account? It shows the user generated a backup archive through cPanel. Is that an unrecognized IP address accessing that account?

    Thank you.
     
  3. Svemir

    Svemir Registered

    Joined:
    Nov 15, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Belgrade, Serbia, Serbia
    cPanel Access Level:
    Root Administrator
    Yes. It's an IP from Pakistan and our server is located in USA. Accessed only from USA and Serbia. Somehow, someone managed to run the backup...
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,808
    Likes Received:
    667
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You should consider changing the password to that account, and reviewing /usr/local/cpanel/logs/access_log to see how long ago the first login attempt was made from an unknown IP address. If the backup of the account was generated, it's a good idea to change all passwords associated with the account (email, ftp, databases) and to review the file structure to verify all files uploaded to the account are legitimate.

    Thank you.
     
Loading...

Share This Page