cPanel too insecure for shared hosting?

[ghoti]

So Im kinda at my wits end. Ive been in this industry for a long time and Im at the point that I dont know what to do. Im litterally thinking of closing up shop.

cPanel/WHM is unable to offer secure shared hosting. We are constantly having hack waves on our servers. Hackers somehow are able to exploit every single wordpress website on our servers. This despite us using every trick we know on how to secure them.

I have installed cloudlinux
I have a pretty potent firewall
I put the wordpress domains through cloudflare for extra security.
I make sure folder permissions are not crazy
I make sure that passwords are random and very very long
I make sure all wordpress files and plugins are up to date

I no longer know what to do. Today I woke up to around 50 wordpress websites hacked on my server. I dont know what to do anymore.

Im literally thinking of quitting the industry after a decade.

Please... is there anything else that can be done to stop these hack waves? It pretty useless running whm/cpanel if every wordpress website is hacked when you use it.

 

[ghoti]

Yup, we are pretty much deciding to close shop. Busy looking for a buyer now. Cheers folks.

 

[weetabix]

I think you need to look at the attack vector in this particular case and come back with the results of that to get any good suggestions from here.

We could guess 1000 times about your particular server settings, but it wont help you.

 

[ghoti]

The "Attack" vector was every single wordpress and joomla website on my shared hosting server :/

And I know for a fact most of them where up to date (cms and plugins). So I assume 1 site got hacked and they were then able to hack every one of our cms websites :/

This is just too much :/

 

[LDHosting]

You say that you installed Cloudlinux.. did you set up and enable cagefs? Did you set up and enable SecureLinks?

There is much more involved to managing a server and it's security than just installing a software package and thinking it's all ok now.

 

[Eric]

Howdy,

Have you tried the security advisor?

https://github.com/bdraco/addon_securityadvisor It's still new but you can get immediate results.

Thanks!

 

[weetabix]

By attack vector I mean how they managed to breach your security. Symlinks, ftp, cpanel, etc.

It sounds like a symlink attack or that you have ftp/cpanel open for your root/reseller account and the password is in the wild.

Could be your whmcs database that is in the wild as well.

 

[24x7server]

Hello,

I will suggest you please install LMD and CXS on your server and scan you whole server through LMD

Linux Malware Detect | R-fx Networks
ConfigServer eXploit Scanner (cxs)

 

[24x7server]

You also can set maldet tool with modsecurity, by using below rule :

============================================
SecRequestBodyAccess On
SecRule FILES_TMPNAMES "@inspectFile /usr/local/maldetect/modsec.sh" \
"log,auditlog,deny,severity:2,phase:2,t:none"

============================================

 

[quizknows]

Most likely you did not enable securelinks for cloudlinux, which allowed mass hack of all those CMSes. I see it every day.

 

[ThinIce]

It's a wider discussion, but I think one of the primary problems is that all the little holes that have been there forever are now getting vigorously poked and exploited (and I'm talking about the IT industry as a whole, not just hosting). I sympathise with the cPanel guys where things that technically are out of their purview (like kernel issues) have become completely key. Yeah, the better shops had all been running grsecurity for years in any case and hardening properly, but many weren't. cPanel 'just worked' and market pressures on price meant that a lot of what should have been basic practises got skipped.

I do however think it's time now for CloudLinux to be offered (if it's wanted) as part of every cPanel license. Given that what it provides is now so integral to the security of the smaller shops who just don't have the in house expertise (and by expertise I mean that to realise you have a problem, as well as then fix it...)

 

[lbeachmike]

I agree that CloudLinux should be packaged as a standard with every license.

It sounds like ghoti had a root compromise, but by the lack of response to this thread, I'm guessing he's thrown in the towel.

 

[mtbwacko]

Why not install a decent ModSecurity ruleset? I haven't had a single successful SQL injection in the years I've had ModSecurity installed - on ANY of my servers.

 

[lbeachmike]

I don't think you read the details of his issue. He also never stated that he did not have that in place.

 

[georgeb]

Is not cPanel the problem, is WordPress. The coders for this application have nothing to do with security (but because most of the people in this world just follow, don't think, they are using this app, because everybody is using, if is good or bad nobody asks). In the last 10 years I never had a problem (hack), and I did both paid and free web hosting (where from 10 users 8 are abusers). You can eliminate this by server configuration, using mod_security, ConfigServer eXploit Scanner (cxs) with other words controlling any file that is uploaded to your server, every move of a user etc., and react before hack not after. I can help you with more if you want, just ask for more details. If you don't know what to do hire a pro and save your time and money.

Regards

 

[lbeachmike]

I can show you lots of uploaded malware files that go undetected by CSX.

There's a great plug-in with a superior scanner called Wordfence. It will find malware that CSW and Clam will miss. There are also other security plug-ins that monitor for changed files/directories. There is also an automatic updater plug-in to keep everything always-updated and as secure as possible.

However, I believe everybody, including the author if this thread have missed the point. This sounds more like a root compromise than anyhting else.

mrk

 

[quizknows]

If all the WP / Joomla sites, and only WP/Joomla sites are hacked, it doesn't take root compromise if followsymlinks is allowed in apache (which it pretty much always is). There are one-click scripts to deface every WP site on a box if cloudlinux is not set up for 'securelinks' or other symlink protection is not in place. All they have to do is get in to one web app first, hence why this thread is a sticky in this forum:

http://forums.cpanel.net/f185/solutions-handling-symlink-attacks-202242.html

 

[lbeachmike]

I am running CloudLinux + CageFS with symlink protection.

Question - if the hacker places a root symlink into one site of an unprotected environment and the server is running suPHP, how is one able to write to the files of other accounts without privilege escalation, assuming php files are given 0644 privileges?

 

[quizknows]

They don't write to anything initially. I'll PM you how the hack works.

 

[Nick57]

You also can set maldet tool with modsecurity, by using below rule :

============================================
SecRequestBodyAccess On
SecRule FILES_TMPNAMES "@inspectFile /usr/local/maldetect/modsec.sh" \
"log,auditlog,deny,severity:2,phase:2,t:none"

============================================

Hi, this is interesting rule, I have both Maldet and Modsecurity installed, but what exactly is this rule blocking?
I run Maldet in background.

Thanks