cpanel hacked

[helmers99]

my cpanel has been hacked and they replaced on index pages on my server including the cpanels themselvers. it was done by http://www.sibersavascilar.com/

cPanel <= 10.8.x cpwrap root exploit via mysqladmin is how they do it.

what can be done?

 

[adept2003]

I believe the exploit was fixed in 10.9.0 (build CURRENT) - 56 Tree

You should upgrade to the latest Current/Release/Stable tree of cPanel to prevent any further issues.

 

[helmers99]

help

WHM 10.8.0 cPanel 10.9.0-C56

this is what is says in the top of whm admin. does that mean its current?

 

[adept2003]

It is the latest current release that you're running. Actually, the latest update addressed an exploit that I believe can only be implimented by a user on your server, so its unlikely that you was hacked via a cPanel exploit.

More likely is that you're running a vunerable php script (old version of php nuke or phpbb perhaps?)

Whatever software you have running on your website, just make sure that it's patched with the latest updates available.

 

[merlinpa1969]

Invasion powerboard has an issue too,
its also old,
sql injection,

got one of our customers they other day

 

[blakeh]

My server got hacked same thing saturday afternoon. All index pages replaced and redirecting to an iframe on ahleen.info.

I had the latest cpanel update installed. Folks over at hostgator are working on it. Don't know how they got in.

bh

 

[DigitalN]

What version of kernels were you running ?

 

[david.roman]

Same Here

We have one machine hacked too,
WHM 10.8.0 cPanel 10.9.0-C31
RedHat Enterprise 4 i686 - WHM X v3.1.0

In our logs we see the attacker has logged-in trough the pure-ftpd downloading and uploading the index files with the cpanel users.

Regards

 

[blakeh]

not sure what kernel we were on.

Seems our attacker got the spamd user shell access and logged in that way, but somehow found out the root pw and ssh port.

 

[xerophyte]

Best way to restore the server and restore the public_html files from the backup,

1) Restore the system with fresh OS
2) Secure the server after restore
3) restore all the user data from the old drive
4) Restore all the hacked index files
5) keep updating the server from old software

hope that helps

 

[xerophyte]

/var/named

 

[blakeh]

Where does the info for the various dns zones get stored or backed up?

Hostgator reloaded my box and restored the cpanel backups but all my dns zones have been reset and my customers are going bananas.

bh

 

[Gary O]

I have the same problem today.

Funny I updated Cpanel 2 days ago.

All pages forward to that page in the first post. Now I could not get to any page at all. I did a reboot and then all pages went down I can not get to any of them it gives me the

The page cannot be displayed

I went through shell and can not find aything at all now. But iut still will not load for me. I forced a Cpanel update via shell now too.

I make sure the cpanel is updated all the time.

All files are there. Nothing else was touched.

And all scripts on the server are up to date.

any help will be great thanks

 

[Gary O]

Got an update.

HTTPD is not running and will not reboot. This is why the sites are not showing duh gary.

So I am now forcing a system reboot. I will see if this fixes it.

 

[HelloAdam]

Hey,

Well as the post above says, you will want to reload the OS on the server. I hope you had accounts backups before you got hacked. If not then its uselss of backing them up now.

From,
Adam