cPanel too insecure for shared hosting?

So Im kinda at my wits end. Ive been in this industry for a long time and Im at the point that I dont know what to do. Im litterally thinking of closing up shop.

cPanel/WHM is unable to offer secure shared hosting. We are constantly having hack waves on our servers. Hackers somehow are able to exploit every single wordpress website on our servers. This despite us using every trick we know on how to secure them.

I have installed cloudlinux
I have a pretty potent firewall
I put the wordpress domains through cloudflare for extra security.
I make sure folder permissions are not crazy
I make sure that passwords are random and very very long
I make sure all wordpress files and plugins are up to date

I no longer know what to do. Today I woke up to around 50 wordpress websites hacked on my server. I dont know what to do anymore.

Im literally thinking of quitting the industry after a decade.

Please... is there anything else that can be done to stop these hack waves? It pretty useless running whm/cpanel if every wordpress website is hacked when you use it.
 

weetabix

Well-Known Member
Oct 26, 2006
62
4
158
I think you need to look at the attack vector in this particular case and come back with the results of that to get any good suggestions from here.

We could guess 1000 times about your particular server settings, but it wont help you.
 
The "Attack" vector was every single wordpress and joomla website on my shared hosting server :/

And I know for a fact most of them where up to date (cms and plugins). So I assume 1 site got hacked and they were then able to hack every one of our cms websites :/

This is just too much :/
 

weetabix

Well-Known Member
Oct 26, 2006
62
4
158
By attack vector I mean how they managed to breach your security. Symlinks, ftp, cpanel, etc.

It sounds like a symlink attack or that you have ftp/cpanel open for your root/reseller account and the password is in the wild.

Could be your whmcs database that is in the wild as well.
 

24x7server

Well-Known Member
Apr 17, 2013
1,911
96
78
India
cPanel Access Level
Root Administrator
Twitter

24x7server

Well-Known Member
Apr 17, 2013
1,911
96
78
India
cPanel Access Level
Root Administrator
Twitter
You also can set maldet tool with modsecurity, by using below rule :

============================================
SecRequestBodyAccess On
SecRule FILES_TMPNAMES "@inspectFile /usr/local/maldetect/modsec.sh" \
"log,auditlog,deny,severity:2,phase:2,t:none"

============================================
 

ThinIce

Well-Known Member
Apr 27, 2006
352
9
168
Disillusioned in England
cPanel Access Level
Root Administrator
It's a wider discussion, but I think one of the primary problems is that all the little holes that have been there forever are now getting vigorously poked and exploited (and I'm talking about the IT industry as a whole, not just hosting). I sympathise with the cPanel guys where things that technically are out of their purview (like kernel issues) have become completely key. Yeah, the better shops had all been running grsecurity for years in any case and hardening properly, but many weren't. cPanel 'just worked' and market pressures on price meant that a lot of what should have been basic practises got skipped.

I do however think it's time now for CloudLinux to be offered (if it's wanted) as part of every cPanel license. Given that what it provides is now so integral to the security of the smaller shops who just don't have the in house expertise (and by expertise I mean that to realise you have a problem, as well as then fix it...)
 

mtbwacko

Well-Known Member
Nov 30, 2004
59
0
156
Why not install a decent ModSecurity ruleset? I haven't had a single successful SQL injection in the years I've had ModSecurity installed - on ANY of my servers.
 

georgeb

Well-Known Member
May 23, 2010
49
1
58
Montreal, QC, Canada
cPanel Access Level
Root Administrator
Is not cPanel the problem, is WordPress. The coders for this application have nothing to do with security (but because most of the people in this world just follow, don't think, they are using this app, because everybody is using, if is good or bad nobody asks). In the last 10 years I never had a problem (hack), and I did both paid and free web hosting (where from 10 users 8 are abusers). You can eliminate this by server configuration, using mod_security, ConfigServer eXploit Scanner (cxs) with other words controlling any file that is uploaded to your server, every move of a user etc., and react before hack not after. I can help you with more if you want, just ask for more details. If you don't know what to do hire a pro and save your time and money.

Regards
 

lbeachmike

Well-Known Member
Dec 27, 2001
306
1
316
Long Beach, NY
cPanel Access Level
Root Administrator
I can show you lots of uploaded malware files that go undetected by CSX.

There's a great plug-in with a superior scanner called Wordfence. It will find malware that CSW and Clam will miss. There are also other security plug-ins that monitor for changed files/directories. There is also an automatic updater plug-in to keep everything always-updated and as secure as possible.

However, I believe everybody, including the author if this thread have missed the point. This sounds more like a root compromise than anyhting else.

mrk
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
If all the WP / Joomla sites, and only WP/Joomla sites are hacked, it doesn't take root compromise if followsymlinks is allowed in apache (which it pretty much always is). There are one-click scripts to deface every WP site on a box if cloudlinux is not set up for 'securelinks' or other symlink protection is not in place. All they have to do is get in to one web app first, hence why this thread is a sticky in this forum:

http://forums.cpanel.net/f185/solutions-handling-symlink-attacks-202242.html
 

lbeachmike

Well-Known Member
Dec 27, 2001
306
1
316
Long Beach, NY
cPanel Access Level
Root Administrator
I am running CloudLinux + CageFS with symlink protection.

Question - if the hacker places a root symlink into one site of an unprotected environment and the server is running suPHP, how is one able to write to the files of other accounts without privilege escalation, assuming php files are given 0644 privileges?
 

Nick57

Well-Known Member
Jul 19, 2005
103
0
166
cPanel Access Level
Root Administrator
You also can set maldet tool with modsecurity, by using below rule :

============================================
SecRequestBodyAccess On
SecRule FILES_TMPNAMES "@inspectFile /usr/local/maldetect/modsec.sh" \
"log,auditlog,deny,severity:2,phase:2,t:none"

============================================
Hi, this is interesting rule, I have both Maldet and Modsecurity installed, but what exactly is this rule blocking?
I run Maldet in background.

Thanks