The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel too insecure for shared hosting?

Discussion in 'Security' started by ghoti, Aug 29, 2013.

  1. ghoti

    ghoti Member

    Joined:
    Jun 23, 2011
    Messages:
    11
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    East London, Eastern Cape, South Africa
    So Im kinda at my wits end. Ive been in this industry for a long time and Im at the point that I dont know what to do. Im litterally thinking of closing up shop.

    cPanel/WHM is unable to offer secure shared hosting. We are constantly having hack waves on our servers. Hackers somehow are able to exploit every single wordpress website on our servers. This despite us using every trick we know on how to secure them.

    I have installed cloudlinux
    I have a pretty potent firewall
    I put the wordpress domains through cloudflare for extra security.
    I make sure folder permissions are not crazy
    I make sure that passwords are random and very very long
    I make sure all wordpress files and plugins are up to date

    I no longer know what to do. Today I woke up to around 50 wordpress websites hacked on my server. I dont know what to do anymore.

    Im literally thinking of quitting the industry after a decade.

    Please... is there anything else that can be done to stop these hack waves? It pretty useless running whm/cpanel if every wordpress website is hacked when you use it.
     
  2. ghoti

    ghoti Member

    Joined:
    Jun 23, 2011
    Messages:
    11
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    East London, Eastern Cape, South Africa
    Yup, we are pretty much deciding to close shop. Busy looking for a buyer now. Cheers folks.
     
  3. weetabix

    weetabix Well-Known Member

    Joined:
    Oct 26, 2006
    Messages:
    56
    Likes Received:
    1
    Trophy Points:
    8
    I think you need to look at the attack vector in this particular case and come back with the results of that to get any good suggestions from here.

    We could guess 1000 times about your particular server settings, but it wont help you.
     
  4. ghoti

    ghoti Member

    Joined:
    Jun 23, 2011
    Messages:
    11
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    East London, Eastern Cape, South Africa
    The "Attack" vector was every single wordpress and joomla website on my shared hosting server :/

    And I know for a fact most of them where up to date (cms and plugins). So I assume 1 site got hacked and they were then able to hack every one of our cms websites :/

    This is just too much :/
     
  5. LDHosting

    LDHosting Well-Known Member

    Joined:
    Jan 19, 2008
    Messages:
    93
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    You say that you installed Cloudlinux.. did you set up and enable cagefs? Did you set up and enable SecureLinks?

    There is much more involved to managing a server and it's security than just installing a software package and thinking it's all ok now.
     
    #5 LDHosting, Aug 29, 2013
    Last edited: Aug 29, 2013
  6. Eric

    Eric Administrator
    Staff Member

    Joined:
    Nov 25, 2007
    Messages:
    746
    Likes Received:
    11
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
  7. weetabix

    weetabix Well-Known Member

    Joined:
    Oct 26, 2006
    Messages:
    56
    Likes Received:
    1
    Trophy Points:
    8
    By attack vector I mean how they managed to breach your security. Symlinks, ftp, cpanel, etc.

    It sounds like a symlink attack or that you have ftp/cpanel open for your root/reseller account and the password is in the wild.

    Could be your whmcs database that is in the wild as well.
     
  8. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
  9. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    You also can set maldet tool with modsecurity, by using below rule :

    ============================================
    SecRequestBodyAccess On
    SecRule FILES_TMPNAMES "@inspectFile /usr/local/maldetect/modsec.sh" \
    "log,auditlog,deny,severity:2,phase:2,t:none"

    ============================================
     
  10. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Most likely you did not enable securelinks for cloudlinux, which allowed mass hack of all those CMSes. I see it every day.
     
  11. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    It's a wider discussion, but I think one of the primary problems is that all the little holes that have been there forever are now getting vigorously poked and exploited (and I'm talking about the IT industry as a whole, not just hosting). I sympathise with the cPanel guys where things that technically are out of their purview (like kernel issues) have become completely key. Yeah, the better shops had all been running grsecurity for years in any case and hardening properly, but many weren't. cPanel 'just worked' and market pressures on price meant that a lot of what should have been basic practises got skipped.

    I do however think it's time now for CloudLinux to be offered (if it's wanted) as part of every cPanel license. Given that what it provides is now so integral to the security of the smaller shops who just don't have the in house expertise (and by expertise I mean that to realise you have a problem, as well as then fix it...)
     
  12. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    I agree that CloudLinux should be packaged as a standard with every license.

    It sounds like ghoti had a root compromise, but by the lack of response to this thread, I'm guessing he's thrown in the towel.
     
  13. mtbwacko

    mtbwacko Well-Known Member

    Joined:
    Nov 30, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    Why not install a decent ModSecurity ruleset? I haven't had a single successful SQL injection in the years I've had ModSecurity installed - on ANY of my servers.
     
  14. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    I don't think you read the details of his issue. He also never stated that he did not have that in place.
     
  15. georgeb

    georgeb Well-Known Member

    Joined:
    May 23, 2010
    Messages:
    48
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Montreal, QC, Canada
    cPanel Access Level:
    Root Administrator
    Is not cPanel the problem, is WordPress. The coders for this application have nothing to do with security (but because most of the people in this world just follow, don't think, they are using this app, because everybody is using, if is good or bad nobody asks). In the last 10 years I never had a problem (hack), and I did both paid and free web hosting (where from 10 users 8 are abusers). You can eliminate this by server configuration, using mod_security, ConfigServer eXploit Scanner (cxs) with other words controlling any file that is uploaded to your server, every move of a user etc., and react before hack not after. I can help you with more if you want, just ask for more details. If you don't know what to do hire a pro and save your time and money.

    Regards
     
  16. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    I can show you lots of uploaded malware files that go undetected by CSX.

    There's a great plug-in with a superior scanner called Wordfence. It will find malware that CSW and Clam will miss. There are also other security plug-ins that monitor for changed files/directories. There is also an automatic updater plug-in to keep everything always-updated and as secure as possible.

    However, I believe everybody, including the author if this thread have missed the point. This sounds more like a root compromise than anyhting else.

    mrk
     
  17. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    If all the WP / Joomla sites, and only WP/Joomla sites are hacked, it doesn't take root compromise if followsymlinks is allowed in apache (which it pretty much always is). There are one-click scripts to deface every WP site on a box if cloudlinux is not set up for 'securelinks' or other symlink protection is not in place. All they have to do is get in to one web app first, hence why this thread is a sticky in this forum:

    http://forums.cpanel.net/f185/solutions-handling-symlink-attacks-202242.html
     
  18. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    I am running CloudLinux + CageFS with symlink protection.

    Question - if the hacker places a root symlink into one site of an unprotected environment and the server is running suPHP, how is one able to write to the files of other accounts without privilege escalation, assuming php files are given 0644 privileges?
     
  19. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    They don't write to anything initially. I'll PM you how the hack works.
     
  20. Nick57

    Nick57 Well-Known Member

    Joined:
    Jul 19, 2005
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hi, this is interesting rule, I have both Maldet and Modsecurity installed, but what exactly is this rule blocking?
    I run Maldet in background.

    Thanks
     
Loading...

Share This Page