Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Getting screwed over, need urgent help.

Discussion in 'Security' started by Nishant80, Jul 5, 2012.

  1. Nishant80

    Nishant80 Well-Known Member

    Joined:
    May 7, 2012
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    56
    cPanel Access Level:
    Root Administrator
    Hi,
    Since about a week we have been getting LOT of complaints from our datacenter about a few of our webs holding phishing pages, shells, deface pages etc etc. I have tried clamav, maldet but they don't seem to help a lot.

    I just got another complaint. The site is not EXACTLY defaced, but it has a "hacked" page uploaded inside
    Code:
    wp-content/themes/twentyten/x.php
    Not to mention the site is using wordpress. My question is, how can I check when and how this file was uploaded?

    And what can I do to prevent these things?
     
    #1 Nishant80, Jul 5, 2012
  2. jerrybell

    jerrybell Well-Known Member

    Joined:
    Nov 27, 2006
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    156
    you could try looking at the timestamp of the file, though it's conceivable that has been altered.

    Most likely, the WP sites are running old versions of WP or plugins that are vulnerable to attack. Keeping them updated is probably the most effective way to prevent this, but that will likely be challenging. Mass updating of wordpress is pretty simple - there are a lot of scripts out there to do that. There aren't many for updating plugins, though. php-cli is one that looks promising, though I haven't played with it.

    Other than that, compiling apache with suhosin will help some. Be sure you're not running mod_php or have something in place (like mod_ruid2) to keep one site compromise from allowing an attacker to drop exploit code on all sites you host.

    There's no 100% solution.
     
    #2 jerrybell, Jul 5, 2012
  3. d'argo

    d'argo Active Member

    Joined:
    Jul 4, 2012
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Also check your FTP logs, a lot of malware gets uploaded because of compromised user accounts.
     
    #3 d'argo, Jul 5, 2012
  4. tank

    tank Well-Known Member

    Joined:
    Apr 12, 2011
    Messages:
    254
    Likes Received:
    1
    Trophy Points:
    68
    Location:
    Chicago, IL
    cPanel Access Level:
    Root Administrator
    What about this. ConfigServer eXploit Scanner (cxs)

    That might help. But that best thing to do, is to restore the site to a time, when it was not infected. And change the passwords to a more secure password.
     
    #4 tank, Jul 6, 2012
  5. d'argo

    d'argo Active Member

    Joined:
    Jul 4, 2012
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Thats definitely the best advice. Usually its a stolen password that lets them in.
     
    #5 d'argo, Jul 6, 2012
  6. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,608
    Likes Received:
    32
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    With WordPress, it's usually an old version actually. They don't need to steal passwords when WordPress has easily exploitable old versions that haven't been updated. Scanning frequently for out-of-date WordPress installs and informing the customer they need to update is the best course of action. If they don't update and get hacked, charging them to restore from a backup would work out well, since they were already informed and now you have to do the work they didn't do.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #6 cPanelTristan, Jul 7, 2012
(You must log in or sign up to post here.)
Loading...
Similar Threads - Getting screwed need
  1. zeki

    How to see which site is getting the most hits during a certain time

    zeki, Aug 4, 2018, in forum: General Discussion
    Replies:
    2
    Views:
    89
    cPanelLauren
    Aug 6, 2018
  2. Zardiw

    mod_userdir getting 404 error

    Zardiw, Aug 3, 2018, in forum: General Discussion
    Replies:
    12
    Views:
    62
    cPanelLauren
    Aug 3, 2018
  3. madesimplemedia

    Getting error "End of script output before headers: ea-php56"

    madesimplemedia, Jun 12, 2018, in forum: CloudLinux
    Replies:
    10
    Views:
    201
    cPanelLauren
    Jun 13, 2018
  4. andryangouw

    System generated emails getting rejected by ESP due to sender verification callout

    andryangouw, May 19, 2018, in forum: E-mail Discussion
    Replies:
    5
    Views:
    111
    cPanelLauren
    May 21, 2018
  5. cPanelResources

    Tutorial cP100: Getting Started with cPanel

    cPanelResources, May 10, 2018, in forum: General Discussion
    Replies:
    0
    Views:
    86
    cPanelResources
    May 10, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice