markjohnson

Member
Apr 23, 2009
21
0
51
I thought CPanel was secure, but I guess I was wrong.

Suddenly, I find out that several of the user accounts have been hacked into where index.php has either been over written, or index.html has been placed, along with other malicious scripts...

Currently, load avg is sky high due to lots of exim procs. God knows what's running them all.

How do I go about finding out how it happened and securing the server?
 

PlatinumServerM

Well-Known Member
PartnerNOC
Jul 10, 2005
400
3
168
New Jersey, USA
cPanel Access Level
Root Administrator
The problem is not with cpanel. Hacks can occur from many different angles (insecure scripts, weak passwords, etc). You have to check how it occurred by reviewing the logs and then implement security features on your server (modsecurity, firewall, etc)
 

markjohnson

Member
Apr 23, 2009
21
0
51
The problem is, I am trying to block certain IP addresses by adding them to host access block but it doesn't seem to be working either
 

Eric

Well-Known Member
Nov 25, 2007
752
12
143
Texas
cPanel Access Level
Root Administrator
Twitter
Just some friendly advise. Stop the mailserver(exim) and start purging the queue. Whom ever hacked it likely stocked it full of junk. You'll likely get blacklisted for sending all that garbage to boot.

As soon as you get the system under control put a stock exim configuration in place and start doing some security forensics. Determine the depth of the compromise, aka did they get root? Determine the state of your backups and act accordingly.
 

SB-Nick

Well-Known Member
Aug 26, 2008
175
9
68
cPanel Access Level
Root Administrator
You should change all your account's FTP passwords and cPanel account passwords and/or contact a Security Advisor to perform a Security Audit.