Cpanel Server being exploited

bradyb

Well-Known Member
May 9, 2005
62
0
156
cPanel 11.25.0-C46156 - WHM 11.25.0 - X 3.9
CENTOS 4.8 i686 standard on ns1

Somehow, someone is injecting folders on the server that send bulk mail. This problem has come and gone over the last year.

FTP is disabled, only SFTP.

Passwords have all been changed.

How should I go about protecting the server further?

This particular case - i had about 3500 bounces (so far) in my email for failed emails. I deleted the mail queue, restarted the server, updated cpanel. The account that was injected doesn't even accept mail locally.

Any questions or any help that could resolve my issues would be appreciated. Been with cpanel for 5+ years. Server has about 150 accounts on it. I control all of the accounts, none of the website owners have access to cpanel. we manage everything.
 

bradyb

Well-Known Member
May 9, 2005
62
0
156
I enabled brute force protection.. this ip is trying a lot 173.193.2.180

Now i cant get in WHM and i added my IP
 

Infopro

Well-Known Member
May 20, 2003
17,076
521
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
This might be helpful:
Use cPHulk for Brute Force Protection

Fixing a Lockout
In the event you are locked out of your server due to cPHulk, run the following script via WHM: /scripts2/doautofixer?autofix=disable_cphulkd

Example: Type the following line into your browser's address bar:
/https://www.example.com:2087/scripts2/doautofixer?autofix=disable_cphulkd
Silly question but have you changed the password for that account that has no email setup? Or at least, checked the logs to see which user is logging in via SFTP and changed that users password?

There are several threads on the forums that you might find useful concerning the email problem, not sure if this one of them though:
http://forums.cpanel.net/f43/spam-originated-fake-email-accounts-into-my-server-142669.html
 

bradyb

Well-Known Member
May 9, 2005
62
0
156
This might be helpful:
Use cPHulk for Brute Force Protection

Silly question but have you changed the password for that account that has no email setup? Or at least, checked the logs to see which user is logging in via SFTP and changed that users password?

There are several threads on the forums that you might find useful concerning the email problem, not sure if this one of them though:
http://forums.cpanel.net/f43/spam-originated-fake-email-accounts-into-my-server-142669.html
We are searching now and inspecting the folder the spammer put up. I see cPHulk is showing all the failed attempts by the spammer IP. I added my Ip as whitelist, keep getting kicked out as the spammer keeps trying to get in. I will read on. Any other thoughts, i appreciate it..
 

bradyb

Well-Known Member
May 9, 2005
62
0
156
it is as if it got ahold of our apache config and read all the virtual hosts. it is in what looks to be every directory, even temp. We are creating a process to delete all and may look at: ConfigServer Server Services