The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Email access compromised

Discussion in 'Security' started by serviz, May 31, 2014.

  1. serviz

    serviz Registered

    Joined:
    May 31, 2014
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I'm a server admin who has been combating a hacker for the past few weeks, and I urgently need to consult a security expert who can help me solve the mystery of how this hacker can continue to read my emails on a cpanel-hosted domain.

    The hacker originally gained access through a SQL injection vulnerability and installed a bunch of PHP shells throughout the server.

    I've been scanning + auditing files / upgrading + migrating domains / repeatedly changing passwords / auditing logs / etc. But I still have proof that hacker has access to emails sent to my account hosted on this server.

    Does anyone have ideas of what other ways a hacker can access my email outside of...
    - http (e.g., via shells that read /home/user/mail)
    - ftp (reading the /home/user/mail dir)
    - ssh
    - pop3/imap (requires password?)

    I'd like to offer a reward of $1,000 if someone acting as a consultant can successfully help me identify precisely how this hacker is accessing my email. Please PM if you can help!
     
  2. cPanelPeter

    cPanelPeter Technical Analyst III
    Staff Member

    Joined:
    Sep 23, 2013
    Messages:
    569
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    It's strongly suggested that you reload the operating system, re-install cPanel and restore. If the hacker installed various shells, the server may be root compromised and if that's the case, no amount of scanning, auditing or upgrading is going to fix that. If you missed even one shell, the hacker can use that to gain access (and install more shells). It's a losing battle at this point.

    We do have a list of qualified system administrators and security experts that may be able to help.
     
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    If you restore the account to a new server, but there are shells hidden, they'll still have account level access.

    I would never advise re-image (reinstall of OS) without concrete proof of a root level hack. PHP shells can only result in rooted servers when the kernel is old enough to have un-patched privilege escalation exploits. Otherwise, the shell is stuck with permissions as dictated by the PHP handler ("nobody" with DSO, or the vhost owner with SuPHP).

    Unless OP has an old kernel or other evidence of root compromise, a re-image is likely wasting their time unless they also completely remove the website content.

    I do however second the recommendation for hiring a qualified administrator to analyse the situation.
     
Loading...

Share This Page