The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CPanel hacked

Discussion in 'General Discussion' started by markjohnson, May 18, 2009.

  1. markjohnson

    markjohnson Member

    Joined:
    Apr 23, 2009
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    I thought CPanel was secure, but I guess I was wrong.

    Suddenly, I find out that several of the user accounts have been hacked into where index.php has either been over written, or index.html has been placed, along with other malicious scripts...

    Currently, load avg is sky high due to lots of exim procs. God knows what's running them all.

    How do I go about finding out how it happened and securing the server?
     
  2. PlatinumServerM

    PlatinumServerM Well-Known Member
    PartnerNOC

    Joined:
    Jul 10, 2005
    Messages:
    397
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    New Jersey, USA
    cPanel Access Level:
    Root Administrator
    The problem is not with cpanel. Hacks can occur from many different angles (insecure scripts, weak passwords, etc). You have to check how it occurred by reviewing the logs and then implement security features on your server (modsecurity, firewall, etc)
     
  3. jhyland87

    jhyland87 Well-Known Member

    Joined:
    Dec 8, 2008
    Messages:
    153
    Likes Received:
    0
    Trophy Points:
    16
    maybeee.. they got root access or something, I doubt it was a cpanel hack
     
  4. markjohnson

    markjohnson Member

    Joined:
    Apr 23, 2009
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    The problem is, I am trying to block certain IP addresses by adding them to host access block but it doesn't seem to be working either
     
  5. Eric

    Eric Administrator
    Staff Member

    Joined:
    Nov 25, 2007
    Messages:
    746
    Likes Received:
    11
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Just some friendly advise. Stop the mailserver(exim) and start purging the queue. Whom ever hacked it likely stocked it full of junk. You'll likely get blacklisted for sending all that garbage to boot.

    As soon as you get the system under control put a stock exim configuration in place and start doing some security forensics. Determine the depth of the compromise, aka did they get root? Determine the state of your backups and act accordingly.
     
  6. SB-Nick

    SB-Nick Well-Known Member

    Joined:
    Aug 26, 2008
    Messages:
    134
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    You should change all your account's FTP passwords and cPanel account passwords and/or contact a Security Advisor to perform a Security Audit.
     
Loading...

Share This Page