Domain Redirecting To Another Cpanel Domain

[awogor]

Hello,

I have a VPS and running centOS.

One of my cPanel accounts was compromised by hackers recently.
I cleaned it since all the sites are WordPress, I used wordfence to clean them and deleted some.

Now, that same day it was hacked, I noticed one of my domain (1 out of the 7 domains in the cpanel account as addons) were redirecting to one of my cpanel account's primary domain.

What I mean is, I have 3 cpanel accounts.

1. for clients
2. for myself
3. for a friend

Now, a domain on my own cpanel account says domain.com when visited, it will redirects to domain.com on my client cpanel account.
Although the site was badly compromised.

I had a backup but didn't want to restore it. Instead, I deleted all files and remove the domain.

Today, I've added another domain on my cpanel account as addon says domain.com again... and when visiting the domain, it redirects to a domain in my client's cPanel account.

I'm scared if there was a setting the hacker did to my cpanel account.

Both my cpanel and whm are 2FA enabled.

Please, advise what to do.

thanks.

 

[cPRex]

Hey there! It definitely sounds like the account could still be compromised in some way. It's impossible for us to say what the issue could be in this case, but redirects can be set up in the .htaccess, in the Apache configuration (through a parked domain, for example) or directly in a database if you are using tools like WordPress.

It seems a more thorough review of that server will be necessary to ensure it is cleaned and safe.

 

[awogor]

Okay!

What then should I do to ensure you have access to check?

It's a WordPress site and it was hosted in Interserver before and working fine.

But I recently imported the site content from Interserver hosting to my vps.

It was working fine.

How can I provide login details?

Knowing that I'm using 2FA?

 

[cPRex]

If you'd like our team to check the server you would need to submit a ticket, as we can't access servers through the forum.

It's important to note though that our team does not offer a security scanning service - if you would like that to happen it would be best to work with your host or a third-party administrator here: System Administration Services

 

[awogor]

Hel

If you'd like our team to check the server you would need to submit a ticket, as we can't access servers through the forum.

It's important to note though that our team does not offer a security scanning service - if you would like that to happen it would be best to work with your host or a third-party administrator here: System Administration Services

Thanks a lot for your speedy response.

So I realized there were some files in my file manager that were stranged.

I don't know if they were generated by my previous hosting because I imported a zip.

These files had 404.shtml, 500.shtml, and a bunch of others.

I downloaded them and deleted them and everything worked well after that.


However I have a concern to stand corrected.

In my cpanel for security reason I setup login notification alerts.

So, I login to my cpanel and access webmail from there and I instantly got an alert that I've logged to cpanel from of course my IP address.

a few seconds later, I got another email of cpanel login notification.



Domain: myrandomdomain.com
Service: dovecot
Local IP Address: 134.0.0.1 (changed for security reasons just in case)
Local Port: 143
Local User triggering request: cpanelusername
Remote IP Address: 134.0.0.1 (changed for security reasons just in case)
Remote Port: 50528
Authentication Database: mail
Username: cpanelusername
Known Network †: Yes


Please, is it something to be worried about?

The domain logged in from the webmail does not exist by the way.

 

[cPRex]

That notification is just letting you know the dovecot service, which is part of the email on the server, accessed the cPanel account since you logged in to Webmail, so that is totally normal behavior.