The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Getting hacked... Almost Daily.

Discussion in 'Security' started by chetanmadaan, May 23, 2013.

  1. chetanmadaan

    chetanmadaan Member

    Joined:
    Jun 18, 2010
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Hi -

    we have a WHM/Cpanel server with a couple of Joomla installations on it... and we are getting hacked almost daily.

    We have tried just about everything we can do prevent this... but it just keeps happening.

    We have Tried:
    - Reinstalling/updating Latest Joomla version.
    - Changing all our Cpanel/Joomla backend passwords.


    Happening:
    - Hackers are able to upload all types of files which let's them put bank logins on our site.
    - hackers are able to some how bypass the cpanel login and do what they want to do.

    What needs to happen:
    - Is there a setting/program we can enable/install that will keep track of all the files that are being uploaded to the site and what script is being upload to upload them.
    - is there a setting/script that can notify us whenever a new file is uploaded to the server and how it is upload? based on a current system scan as the current set of files.

    Thank you for anyone responding.
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    One of your components or templates is likely trojaned or vulnerable. Most common joomla exploits I've seen in recent months target old versions of com_jce (check for malware in public_html/images/stories).

    You need to enable archiving of raw access logs in the cPanel account, and contact your web hosting support or hire a security admin if you cannot clean it or the infections re-occur. I recommend sucuri at Sucuri Security — Protect Your Interwebs!
     
  3. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    462
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Try Upload Guardian for preventing malicious files being uploaded into account.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  5. vlee

    vlee Well-Known Member

    Joined:
    Oct 13, 2005
    Messages:
    272
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Las Vegas, Nevada, United Stat
    cPanel Access Level:
    Root Administrator
    You may want to also look into the following if not already have them installed on server

    Mod Security
    Config Server Firewall
    SuPHP
    Use PCI Compliance Settings
     
  6. robb3369

    robb3369 Well-Known Member

    Joined:
    Mar 1, 2008
    Messages:
    122
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
  7. chetanmadaan

    chetanmadaan Member

    Joined:
    Jun 18, 2010
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Thanks Everyone. I will try my best.
     
  8. noori

    noori Registered

    Joined:
    Feb 23, 2012
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    hi every one.
    I had the same issued from many days and i dnt know whats going on.
    My website that i never be edited from 5-6 month. one day the browser shows me the warning that malware detected. i login to my account and see that all the pages of my site is changed and malware code pointed to some other site is there in pages. i removed all the pages and upload the backup.after that i discovered that my facebook like and twitter tweets are increased too more than 2000 as previously they were not even 50. i knew my site was hacked and gain again it hacked. this is third time it is hacked and i had no idea what to do. any help is apreciated...
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Have you reviewed any of the solutions offered on this thread? You may want to consult with a qualified system administrator or security expert if the solutions offered thus far have not been helpful.

    Thank you.
     
  10. calebstephen

    calebstephen Registered

    Joined:
    May 27, 2013
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Yes, definitely security is no.1 priority when dealing with servers.
    I have built a server myself - so from experience, I have had a range of attacks from SQL injections to HTACCESS and onto DDoS attacks. Since moving servers onto the one I built - with its HIGH level of security, I have never had any attacks after that.
    Another thing, is that I have heaps of Joomla sites on my server. Keeping the versions UP-TO-DATE is imperative. If you have J 1.0, 1.5 or any OLD versions of Joomla, UPGRADE to the latest 2.5 or 3.0 versions as the new ones HAVE security hot fixes and patches.
    Make sure you also install the follwoing on your server if you have root access:
    Mod Security
    Config Server & Secuirty Firewall
    SuPHP
    CP Hulk

    Additionally, get a qualified systems admin to troubleshoot, secure and protect your system.
    Hope this advice helps.
     
  11. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    I'd be wanting to check your PC fairly carefully; my initial thought would be that they have your PC compromised and are stealing your saved password. To catch this, setup a special ftp account and save it on your PC. Don't save that anywhere else.

    Scanning with a few recent antivirus packages is usually enough; sometimes just one by itself doesn't find these sort of trojan infections.

    The other possibility is that they have compromised root on your server, or dropped a hacked file somewhere into your account and are using that to regain access. You'll need to scan the account for weird files using a combination of tools to find it; we use Configserver's cxs but maldet and other tools should be similar.
     
  12. noori

    noori Registered

    Joined:
    Feb 23, 2012
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    brianoz thanks for your value able advices but my issue is there. Every day different malware are detected from my site. i think thats the responsibility of server now. as i had install 2 antiviruses and scan my computer thoroughly. :(
     
  13. sahostking

    sahostking Well-Known Member

    Joined:
    May 15, 2012
    Messages:
    299
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Cape Town, South Africa
    cPanel Access Level:
    Root Administrator
  14. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,145
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    I will also suggest you to please install ConfigServer eXploit Scanner (cxs) on your server for the malware infection. It's good active scanner which is scanning the files while uploading on the server

    Also scan your whole /home* directory through Linux Malware Detect | R-fx Networks and check if any CMD SHELL files are present in your user account.

    Thanks
     
  15. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
  16. noori

    noori Registered

    Joined:
    Feb 23, 2012
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Thanks for your suggestions. i will surely install these. :)
     
Loading...

Share This Page