Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Email access compromised

Discussion in 'Security' started by serviz, May 31, 2014.

  1. serviz

    serviz Registered

    May 31, 2014
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    I'm a server admin who has been combating a hacker for the past few weeks, and I urgently need to consult a security expert who can help me solve the mystery of how this hacker can continue to read my emails on a cpanel-hosted domain.

    The hacker originally gained access through a SQL injection vulnerability and installed a bunch of PHP shells throughout the server.

    I've been scanning + auditing files / upgrading + migrating domains / repeatedly changing passwords / auditing logs / etc. But I still have proof that hacker has access to emails sent to my account hosted on this server.

    Does anyone have ideas of what other ways a hacker can access my email outside of...
    - http (e.g., via shells that read /home/user/mail)
    - ftp (reading the /home/user/mail dir)
    - ssh
    - pop3/imap (requires password?)

    I'd like to offer a reward of $1,000 if someone acting as a consultant can successfully help me identify precisely how this hacker is accessing my email. Please PM if you can help!
  2. cPanelPeter

    cPanelPeter Technical Analyst III
    Staff Member

    Sep 23, 2013
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator

    It's strongly suggested that you reload the operating system, re-install cPanel and restore. If the hacker installed various shells, the server may be root compromised and if that's the case, no amount of scanning, auditing or upgrading is going to fix that. If you missed even one shell, the hacker can use that to gain access (and install more shells). It's a losing battle at this point.

    We do have a list of qualified system administrators and security experts that may be able to help.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. quizknows

    quizknows Well-Known Member

    Oct 20, 2009
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    DataCenter Provider
    If you restore the account to a new server, but there are shells hidden, they'll still have account level access.

    I would never advise re-image (reinstall of OS) without concrete proof of a root level hack. PHP shells can only result in rooted servers when the kernel is old enough to have un-patched privilege escalation exploits. Otherwise, the shell is stuck with permissions as dictated by the PHP handler ("nobody" with DSO, or the vhost owner with SuPHP).

    Unless OP has an old kernel or other evidence of root compromise, a re-image is likely wasting their time unless they also completely remove the website content.

    I do however second the recommendation for hiring a qualified administrator to analyse the situation.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice