The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cpanel Server being exploited

Discussion in 'Security' started by bradyb, Jun 22, 2010.

  1. bradyb

    bradyb Well-Known Member

    Joined:
    May 9, 2005
    Messages:
    62
    Likes Received:
    0
    Trophy Points:
    6
    cPanel 11.25.0-C46156 - WHM 11.25.0 - X 3.9
    CENTOS 4.8 i686 standard on ns1

    Somehow, someone is injecting folders on the server that send bulk mail. This problem has come and gone over the last year.

    FTP is disabled, only SFTP.

    Passwords have all been changed.

    How should I go about protecting the server further?

    This particular case - i had about 3500 bounces (so far) in my email for failed emails. I deleted the mail queue, restarted the server, updated cpanel. The account that was injected doesn't even accept mail locally.

    Any questions or any help that could resolve my issues would be appreciated. Been with cpanel for 5+ years. Server has about 150 accounts on it. I control all of the accounts, none of the website owners have access to cpanel. we manage everything.
     
  2. bradyb

    bradyb Well-Known Member

    Joined:
    May 9, 2005
    Messages:
    62
    Likes Received:
    0
    Trophy Points:
    6
    I enabled brute force protection.. this ip is trying a lot 173.193.2.180

    Now i cant get in WHM and i added my IP
     
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    This might be helpful:
    Use cPHulk for Brute Force Protection

    Silly question but have you changed the password for that account that has no email setup? Or at least, checked the logs to see which user is logging in via SFTP and changed that users password?

    There are several threads on the forums that you might find useful concerning the email problem, not sure if this one of them though:
    http://forums.cpanel.net/f43/spam-originated-fake-email-accounts-into-my-server-142669.html
     
  4. bradyb

    bradyb Well-Known Member

    Joined:
    May 9, 2005
    Messages:
    62
    Likes Received:
    0
    Trophy Points:
    6
    We are searching now and inspecting the folder the spammer put up. I see cPHulk is showing all the failed attempts by the spammer IP. I added my Ip as whitelist, keep getting kicked out as the spammer keeps trying to get in. I will read on. Any other thoughts, i appreciate it..
     
  5. bradyb

    bradyb Well-Known Member

    Joined:
    May 9, 2005
    Messages:
    62
    Likes Received:
    0
    Trophy Points:
    6
    sorry and yes did change pw
     
  6. bradyb

    bradyb Well-Known Member

    Joined:
    May 9, 2005
    Messages:
    62
    Likes Received:
    0
    Trophy Points:
    6
    it is as if it got ahold of our apache config and read all the virtual hosts. it is in what looks to be every directory, even temp. We are creating a process to delete all and may look at: ConfigServer Server Services
     
Loading...

Share This Page