Operating System & Version
cpanel plus cloudlinux
cPanel & WHM Version
100.0.12
Apr 9, 2022
16
2
3
Rio de Janeiro
cPanel Access Level
Root Administrator
Good afternoon dear friends!

I currently have three dedicated servers and I'm having the same problem on three servers.

The server is being hacked and the folder and files are being added to the cpanel user accounts, my server is properly configured with cpanel plus cloudlinux

the ports open on the server are as follows:

20,21,2250,25,53,80,110,143,443,465,587,993,995,2077,2078,2079,2080,2082,2083,2086,2087,2095,2096,3306

port 2250 is a custom port for ssh connection

ConfigServer Security and Firewall and cpguard configured on the server but both are not solving my problem.


Friends here on the forum would have any ideas or help that could help me solve this.
 

Attachments

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
12,499
1,971
363
cPanel Access Level
Root Administrator
Hey there! It would likely be worth opening a ticket with our team, as any investigation without seeing the server is really just guessing.

If the files and directories you are seeing created are owned by the cPanel user, that would indicate the compromise is at the user level, and not the root level of the server, so at least that is good news. This is often a problem caused by keylogging software on customer machines, as passwords get stolen when that user logs into cPanel and sent to the hacker so they can acces the account.

If you submit a ticket to our team we can at least rule out common root compromises, and we also may be able to point you in the right direction as to what the original source of the compromise was.
 
Apr 9, 2022
16
2
3
Rio de Janeiro
cPanel Access Level
Root Administrator
The problem is not just one server, but three servers, and not in a specific user account, but in several user accounts, files are being added and files are also being deleted from the end users. this is my preoccupation. could there be some command that i could check these envations.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
12,499
1,971
363
cPanel Access Level
Root Administrator

plesk4lyf

Active Member
PartnerNOC
May 21, 2018
38
7
8
Sydney
cPanel Access Level
Root Administrator
Quintanilha-RJ,

The firewall isn't going to help with exploits of this nature at all, because they're using the services to perform the exploits.

It's most likely that website code/CMS/plugins are outdated and have holes that are able to be exploited.

You should always keep the code up-to-date so security holes are patched. If it's shared hosting and you don't have that level of control over it, then I recommend looking at:

Imunify360 is a all-in-one product. It includes virus/exploit scanning and web application firewall (WAF) rules.

For just exploit scanning, you can look at:

There's no easy fix or silver bullet to prevent exploits on sites.