Cpanel Server being exploited

B

bradyb

Well-Known Member
May 9, 2005
62
0
156
cPanel 11.25.0-C46156 - WHM 11.25.0 - X 3.9
CENTOS 4.8 i686 standard on ns1

Somehow, someone is injecting folders on the server that send bulk mail. This problem has come and gone over the last year.

FTP is disabled, only SFTP.

Passwords have all been changed.

How should I go about protecting the server further?

This particular case - i had about 3500 bounces (so far) in my email for failed emails. I deleted the mail queue, restarted the server, updated cpanel. The account that was injected doesn't even accept mail locally.

Any questions or any help that could resolve my issues would be appreciated. Been with cpanel for 5+ years. Server has about 150 accounts on it. I control all of the accounts, none of the website owners have access to cpanel. we manage everything.
 
B

bradyb

Well-Known Member
May 9, 2005
62
0
156
I enabled brute force protection.. this ip is trying a lot 173.193.2.180

Now i cant get in WHM and i added my IP
 
I

Infopro

Well-Known Member
May 20, 2003
17,075
524
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
This might be helpful:
Use cPHulk for Brute Force Protection

Fixing a Lockout
In the event you are locked out of your server due to cPHulk, run the following script via WHM: /scripts2/doautofixer?autofix=disable_cphulkd

Example: Type the following line into your browser's address bar:
/https://www.example.com:2087/scripts2/doautofixer?autofix=disable_cphulkd
Click to expand...
Silly question but have you changed the password for that account that has no email setup? Or at least, checked the logs to see which user is logging in via SFTP and changed that users password?

There are several threads on the forums that you might find useful concerning the email problem, not sure if this one of them though:
http://forums.cpanel.net/f43/spam-originated-fake-email-accounts-into-my-server-142669.html
 
B

bradyb

Well-Known Member
May 9, 2005
62
0
156
Infopro said:
This might be helpful:
Use cPHulk for Brute Force Protection

Silly question but have you changed the password for that account that has no email setup? Or at least, checked the logs to see which user is logging in via SFTP and changed that users password?

There are several threads on the forums that you might find useful concerning the email problem, not sure if this one of them though:
http://forums.cpanel.net/f43/spam-originated-fake-email-accounts-into-my-server-142669.html
Click to expand...
We are searching now and inspecting the folder the spammer put up. I see cPHulk is showing all the failed attempts by the spammer IP. I added my Ip as whitelist, keep getting kicked out as the spammer keeps trying to get in. I will read on. Any other thoughts, i appreciate it..
 
B

bradyb

Well-Known Member
May 9, 2005
62
0
156
it is as if it got ahold of our apache config and read all the virtual hosts. it is in what looks to be every directory, even temp. We are creating a process to delete all and may look at: ConfigServer Server Services
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
B Server's own IP in cpHulk reporting system cpaneld auth failure? Security 13
B SOLVED CPANEL-42515 - PCI Scan complaint about Web Server Predictable Session ID Vulnerability with port 2087 / tcp over ssl Security 12
G Unable to connect to a cPanel server via SSH Security 5
I In Progress CPANEL-40053 - Contact email addresses are wrong for all client accounts on private hosted cPanel server Security 4
C AutoSSL failing for domains with external DNS but hosted and resolving to cpanel server Security 5
Similar threads
Server's own IP in cpHulk reporting system cpaneld auth failure?
SOLVED CPANEL-42515 - PCI Scan complaint about Web Server Predictable Session ID Vulnerability with port 2087 / tcp over ssl
Unable to connect to a cPanel server via SSH
In Progress CPANEL-40053 - Contact email addresses are wrong for all client accounts on private hosted cPanel server
AutoSSL failing for domains with external DNS but hosted and resolving to cpanel server
Top Bottom