The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cpanel hacked

Discussion in 'General Discussion' started by helmers99, Nov 5, 2006.

  1. helmers99

    helmers99 Registered

    Joined:
    Nov 6, 2004
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    my cpanel has been hacked and they replaced on index pages on my server including the cpanels themselvers. it was done by http://www.sibersavascilar.com/

    cPanel <= 10.8.x cpwrap root exploit via mysqladmin is how they do it.

    what can be done?
     

    Attached Files:

  2. adept2003

    adept2003 Well-Known Member

    Joined:
    Aug 11, 2003
    Messages:
    283
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    ~ "/(extra|special)/data"
    I believe the exploit was fixed in 10.9.0 (build CURRENT) - 56 Tree

    You should upgrade to the latest Current/Release/Stable tree of cPanel to prevent any further issues.
     
  3. helmers99

    helmers99 Registered

    Joined:
    Nov 6, 2004
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    help

    WHM 10.8.0 cPanel 10.9.0-C56

    this is what is says in the top of whm admin. does that mean its current?
     
  4. adept2003

    adept2003 Well-Known Member

    Joined:
    Aug 11, 2003
    Messages:
    283
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    ~ "/(extra|special)/data"
    It is the latest current release that you're running. Actually, the latest update addressed an exploit that I believe can only be implimented by a user on your server, so its unlikely that you was hacked via a cPanel exploit.

    More likely is that you're running a vunerable php script (old version of php nuke or phpbb perhaps?)

    Whatever software you have running on your website, just make sure that it's patched with the latest updates available.
     
  5. merlinpa1969

    merlinpa1969 Well-Known Member

    Joined:
    Dec 3, 2003
    Messages:
    108
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    PA
    cPanel Access Level:
    Root Administrator
    Invasion powerboard has an issue too,
    its also old,
    sql injection,

    got one of our customers they other day
     
  6. blakeh

    blakeh Registered

    Joined:
    Nov 5, 2006
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    My server got hacked same thing saturday afternoon. All index pages replaced and redirecting to an iframe on ahleen.info.

    I had the latest cpanel update installed. Folks over at hostgator are working on it. Don't know how they got in.

    bh
     
  7. DigitalN

    DigitalN Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    420
    Likes Received:
    1
    Trophy Points:
    18
    What version of kernels were you running ?
     
  8. david.roman

    david.roman Member
    PartnerNOC

    Joined:
    Jan 16, 2006
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Same Here

    We have one machine hacked too,
    WHM 10.8.0 cPanel 10.9.0-C31
    RedHat Enterprise 4 i686 - WHM X v3.1.0

    In our logs we see the attacker has logged-in trough the pure-ftpd downloading and uploading the index files with the cpanel users.

    Regards
     
    #8 david.roman, Nov 6, 2006
    Last edited: Nov 6, 2006
  9. blakeh

    blakeh Registered

    Joined:
    Nov 5, 2006
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    not sure what kernel we were on.

    Seems our attacker got the spamd user shell access and logged in that way, but somehow found out the root pw and ssh port.
     
  10. xerophyte

    xerophyte Well-Known Member

    Joined:
    Mar 16, 2003
    Messages:
    216
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Best way to restore the server and restore the public_html files from the backup,

    1) Restore the system with fresh OS
    2) Secure the server after restore
    3) restore all the user data from the old drive
    4) Restore all the hacked index files
    5) keep updating the server from old software

    hope that helps
     
  11. xerophyte

    xerophyte Well-Known Member

    Joined:
    Mar 16, 2003
    Messages:
    216
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    /var/named
     
  12. blakeh

    blakeh Registered

    Joined:
    Nov 5, 2006
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Where does the info for the various dns zones get stored or backed up?

    Hostgator reloaded my box and restored the cpanel backups but all my dns zones have been reset and my customers are going bananas.

    bh
     
  13. Gary O

    Gary O Registered

    Joined:
    Nov 8, 2005
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    I have the same problem today.

    Funny I updated Cpanel 2 days ago.

    All pages forward to that page in the first post. Now I could not get to any page at all. I did a reboot and then all pages went down I can not get to any of them it gives me the

    The page cannot be displayed

    I went through shell and can not find aything at all now. But iut still will not load for me. I forced a Cpanel update via shell now too.

    I make sure the cpanel is updated all the time.

    All files are there. Nothing else was touched.

    And all scripts on the server are up to date.

    any help will be great thanks
     
  14. Gary O

    Gary O Registered

    Joined:
    Nov 8, 2005
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Got an update.

    HTTPD is not running and will not reboot. This is why the sites are not showing duh gary.

    So I am now forcing a system reboot. I will see if this fixes it.
     
  15. HelloAdam

    HelloAdam Well-Known Member

    Joined:
    Nov 6, 2005
    Messages:
    145
    Likes Received:
    0
    Trophy Points:
    16
    Hey,

    Well as the post above says, you will want to reload the OS on the server. I hope you had accounts backups before you got hacked. If not then its uselss of backing them up now.

    From,
    Adam
     
Loading...

Share This Page