I've been having some trouble keeping a select few cPanel accounts from being hacked and could use some direction on how to proceed. When they are hacked, malicious files are found with the intent of phishing. These accounts have WordPress sites on them, however, after combing through a number of logs (site access logs, cPanel access logs, and messages) I have reason to believe the files are being uploaded/created using cPanel access.
I found these logs showing that they were able to login to cPanel for the most recent offense and found similar entries for past events. I hid the username and domain for anonymity. In the last log entry the "cloves" directory is mentioned and contained only malicious files.
The cPanel password to this account was changed on July 10th and was given to no one.
Not sure if it is relevant, but prior to the login, I am seeing a lot of requests to "cPanel_magic_revision," though, it seems possible they are getting these because they were already able to log in previously. A few of those lines are below:
When I clean up sites, I am typically scanning with ImunifyAV+, Wordfence, Maldet, and a custom script borrowed from a rather large hosting company. I get all offending files removed/corrected, update all plugins, themes, and core files if needed, and change all passwords (cPanel, FTP, Email, WordPress, Database). I seem to continue having trouble keeping the sites clean.
I ran a chkrootkit that said passwd was infected, but I checked the md5 and it matched with the repo. Root password and reseller account password have been changed numerous times.
Most of my experience in this area is with cleaning up hacked sites with vulnerabilities in the site files, but I'm a bit lost when now that it appears to involve cPanel access. Any guidance in what to do/look for next is greatly appreciated.
I found these logs showing that they were able to login to cPanel for the most recent offense and found similar entries for past events. I hid the username and domain for anonymity. In the last log entry the "cloves" directory is mentioned and contained only malicious files.
Code:
105.112.75.244 - username [07/14/2020:17:08:52 -0000] "POST /login/?login_only=1 HTTP/1.1" 301 0 "https://domain.com:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36" "-" "-" 2083
105.112.75.244 - username [07/14/2020:17:08:52 -0000] "GET /cpsess0792180365/frontend/paper_lantern/index.html?login=1&post_login=79101385337705 HTTP/1.1" 200 0 "https://domain.com:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36" "s" "-" 2083
...
105.112.75.244 - username [07/14/2020:17:10:04 -0000] "GET /cpsess0792180365/json-api/cpanel?cpanel_jsonapi_module=Fileman&cpanel_jsonapi_func=listfiles&cpanel_jsonapi_apiversion=2&needmime=1&dir=%2fhome%2fusername%2fpublic_html%2fcloves&showdotfiles=1&cache_fix=1594746604598 HTTP/1.1" 200 0 "https://domain.com:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36" "s" "-" 2083
Not sure if it is relevant, but prior to the login, I am seeing a lot of requests to "cPanel_magic_revision," though, it seems possible they are getting these because they were already able to log in previously. A few of those lines are below:
Code:
105.112.75.244 - - [07/14/2020:17:08:40 -0000] "GET / HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36" "-" "-" 2083
105.112.75.244 - - [07/14/2020:17:08:40 -0000] "GET /cPanel_magic_revision_1386192030/unprotected/cpanel/fonts/open_sans/open_sans.min.css HTTP/1.1" 200 0 "https://domain.com:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36" "-" "-" 2083
105.112.75.244 - - [07/14/2020:17:08:40 -0000] "GET /cPanel_magic_revision_1589382337/unprotected/cpanel/style_v2_optimized.css HTTP/1.1" 200 0 "https://domain.com:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36" "-" "-" 2083
105.112.75.244 - - [07/14/2020:17:08:41 -0000] "GET /cPanel_magic_revision_1577723847/unprotected/cpanel/images/cpanel-logo.svg HTTP/1.1" 200 0 "https://domain.com:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36" "-" "-" 2083
I ran a chkrootkit that said passwd was infected, but I checked the md5 and it matched with the repo. Root password and reseller account password have been changed numerous times.
Most of my experience in this area is with cleaning up hacked sites with vulnerabilities in the site files, but I'm a bit lost when now that it appears to involve cPanel access. Any guidance in what to do/look for next is greatly appreciated.