cPanel Passwords Cracked?

Operating System & Version
CENTOS 7.8
cPanel & WHM Version
cPanel v88.0.12

AlexDCMO

Registered
Jul 10, 2020
2
0
1
Orem, UT
cPanel Access Level
Root Administrator
I've been having some trouble keeping a select few cPanel accounts from being hacked and could use some direction on how to proceed. When they are hacked, malicious files are found with the intent of phishing. These accounts have WordPress sites on them, however, after combing through a number of logs (site access logs, cPanel access logs, and messages) I have reason to believe the files are being uploaded/created using cPanel access.

I found these logs showing that they were able to login to cPanel for the most recent offense and found similar entries for past events. I hid the username and domain for anonymity. In the last log entry the "cloves" directory is mentioned and contained only malicious files.

Code:
105.112.75.244 - username [07/14/2020:17:08:52 -0000] "POST /login/?login_only=1 HTTP/1.1" 301 0 "https://domain.com:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36" "-" "-" 2083
105.112.75.244 - username [07/14/2020:17:08:52 -0000] "GET /cpsess0792180365/frontend/paper_lantern/index.html?login=1&post_login=79101385337705 HTTP/1.1" 200 0 "https://domain.com:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36" "s" "-" 2083

...

105.112.75.244 - username [07/14/2020:17:10:04 -0000] "GET /cpsess0792180365/json-api/cpanel?cpanel_jsonapi_module=Fileman&cpanel_jsonapi_func=listfiles&cpanel_jsonapi_apiversion=2&needmime=1&dir=%2fhome%2fusername%2fpublic_html%2fcloves&showdotfiles=1&cache_fix=1594746604598 HTTP/1.1" 200 0 "https://domain.com:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36" "s" "-" 2083
The cPanel password to this account was changed on July 10th and was given to no one.

Not sure if it is relevant, but prior to the login, I am seeing a lot of requests to "cPanel_magic_revision," though, it seems possible they are getting these because they were already able to log in previously. A few of those lines are below:

Code:
105.112.75.244 - - [07/14/2020:17:08:40 -0000] "GET / HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36" "-" "-" 2083
105.112.75.244 - - [07/14/2020:17:08:40 -0000] "GET /cPanel_magic_revision_1386192030/unprotected/cpanel/fonts/open_sans/open_sans.min.css HTTP/1.1" 200 0 "https://domain.com:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36" "-" "-" 2083
105.112.75.244 - - [07/14/2020:17:08:40 -0000] "GET /cPanel_magic_revision_1589382337/unprotected/cpanel/style_v2_optimized.css HTTP/1.1" 200 0 "https://domain.com:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36" "-" "-" 2083
105.112.75.244 - - [07/14/2020:17:08:41 -0000] "GET /cPanel_magic_revision_1577723847/unprotected/cpanel/images/cpanel-logo.svg HTTP/1.1" 200 0 "https://domain.com:2083/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36" "-" "-" 2083
When I clean up sites, I am typically scanning with ImunifyAV+, Wordfence, Maldet, and a custom script borrowed from a rather large hosting company. I get all offending files removed/corrected, update all plugins, themes, and core files if needed, and change all passwords (cPanel, FTP, Email, WordPress, Database). I seem to continue having trouble keeping the sites clean.

I ran a chkrootkit that said passwd was infected, but I checked the md5 and it matched with the repo. Root password and reseller account password have been changed numerous times.

Most of my experience in this area is with cleaning up hacked sites with vulnerabilities in the site files, but I'm a bit lost when now that it appears to involve cPanel access. Any guidance in what to do/look for next is greatly appreciated.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,254
313
Houston
To ensure that there is no root compromise, before providing suggestions, I'd advise you to open a ticket with us. Our admins should be able to let you know if there is any evidence of a root-level compromise or if the issue is at the account level.
 

mrezam2pm

Registered
Sep 12, 2019
2
0
1
iran
cPanel Access Level
Root Administrator
i have same issues, whats is issues?
after change all password for all , hacker login to reseller account without user & pass!
and upload shell for all account! for phishing...
  • CENTOS 6.10 kvm [ip-.......] v86.0.24
 

AlexDCMO

Registered
Jul 10, 2020
2
0
1
Orem, UT
cPanel Access Level
Root Administrator
With the help from cPanel, we found that there was a .contactemail file where the hacker had put in their own email which allowed them to just go through the lost password feature to reset the cPanel password for that account. The file was located in /home/USERNAME/.contactemail. In order to get this corrected, I just placed the proper email in that file instead of the one the hacker had placed in.

I hope this helps in your situation! I know how frustrating it was when it was happening for me.