Forums
Forums

Quick Links
- Search Forums
- New Posts
Search titles only

Posted by Member:

Separate names with a comma.

Newer Than:

Search this thread only

Search this forum only

Display results as threads

More...

Useful Searches

Recent Posts
Resources
Resources

Quick Links
Feature Requests
Defects
Menu

This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Getting screwed over, need urgent help.

Discussion in 'Security' started by Nishant80, Jul 5, 2012.

Nishant80 Well-Known Member

Joined:

May 7, 2012

Messages:

63

Likes Received:

0

Trophy Points:

56

cPanel Access Level:

Root Administrator
Hi,
Since about a week we have been getting LOT of complaints from our datacenter about a few of our webs holding phishing pages, shells, deface pages etc etc. I have tried clamav, maldet but they don't seem to help a lot.

I just got another complaint. The site is not EXACTLY defaced, but it has a "hacked" page uploaded inside

Code:

wp-content/themes/twentyten/x.php

Not to mention the site is using wordpress. My question is, how can I check when and how this file was uploaded?

And what can I do to prevent these things?
#1 Nishant80, Jul 5, 2012
jerrybell Well-Known Member

Joined:

Nov 27, 2006

Messages:

90

Likes Received:

0

Trophy Points:

156

Nishant80 said: ↑

Hi,
Not to mention the site is using wordpress. My question is, how can I check when and how this file was uploaded?

And what can I do to prevent these things?
Click to expand...

you could try looking at the timestamp of the file, though it's conceivable that has been altered.

Most likely, the WP sites are running old versions of WP or plugins that are vulnerable to attack. Keeping them updated is probably the most effective way to prevent this, but that will likely be challenging. Mass updating of wordpress is pretty simple - there are a lot of scripts out there to do that. There aren't many for updating plugins, though. php-cli is one that looks promising, though I haven't played with it.

Other than that, compiling apache with suhosin will help some. Be sure you're not running mod_php or have something in place (like mod_ruid2) to keep one site compromise from allowing an attacker to drop exploit code on all sites you host.

There's no 100% solution.

#2 jerrybell, Jul 5, 2012
d'argo Active Member

Joined:

Jul 4, 2012

Messages:

36

Likes Received:

0

Trophy Points:

6

cPanel Access Level:

Root Administrator

Also check your FTP logs, a lot of malware gets uploaded because of compromised user accounts.

#3 d'argo, Jul 5, 2012
tank Well-Known Member

Joined:

Apr 12, 2011

Messages:

241

Likes Received:

0

Trophy Points:

66

Location:

Chicago, IL

cPanel Access Level:

Root Administrator

What about this. ConfigServer eXploit Scanner (cxs)

That might help. But that best thing to do, is to restore the site to a time, when it was not infected. And change the passwords to a more secure password.

#4 tank, Jul 6, 2012
d'argo Active Member

Joined:

Jul 4, 2012

Messages:

36

Likes Received:

0

Trophy Points:

6

cPanel Access Level:

Root Administrator

tank said: ↑

But that best thing to do, is to restore the site to a time, when it was not infected. And change the passwords to a more secure password.
Click to expand...

Thats definitely the best advice. Usually its a stolen password that lets them in.

#5 d'argo, Jul 6, 2012
cPanelTristan Quality Assurance Analyst
Staff Member

Joined:

Oct 2, 2010

Messages:

7,622

Likes Received:

25

Trophy Points:

238

Location:

somewhere over the rainbow

cPanel Access Level:

Root Administrator

With WordPress, it's usually an old version actually. They don't need to steal passwords when WordPress has easily exploitable old versions that haven't been updated. Scanning frequently for out-of-date WordPress installs and informing the customer they need to update is the best course of action. If they don't update and get hacked, charging them to restore from a backup would work out well, since they were already informed and now you have to do the work they didn't do.

cPResources: Support Options | More Support Options | Forums Search | cPanel.net Site Search | Mailing Lists(Alt) | Docs
-- Tristan, Technical Analyst III, Forums Specialist, cPanel Tech Support

Submit a ticket | Check an existing ticket

#6 cPanelTristan, Jul 7, 2012

(You must log in or sign up to post here.)

Loading...

Similar Threads - Getting screwed need

Piped email to WHMCS getting bounce back

Adam Helman, Aug 14, 2017 at 5:41 AM, in forum: E-mail Discussions

Replies:

4

Views:

54

Adam Helman

Aug 14, 2017 at 12:22 PM
Firewalls keep getting turned off

cannon303, Aug 12, 2017 at 10:58 AM, in forum: General Discussion

Replies:

1

Views:

44

cPanelMichael

Aug 14, 2017 at 11:14 AM
Getting this message in easy apache

WebHostPro, Aug 7, 2017, in forum: Security

Replies:

1

Views:

59

cPanelMichael

Aug 8, 2017
Stopped getting mailing list emails

Bob Katz, Aug 2, 2017, in forum: E-mail Discussions

Replies:

18

Views:

146

cPanelMichael

Aug 8, 2017
Getting emails from cpanel@hostname and root@localhost

schatzman, Aug 2, 2017, in forum: E-mail Discussions

Replies:

7

Views:

101

cPanelMichael

Aug 2, 2017

Share This Page