The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

I got hacked

Discussion in 'General Discussion' started by dob3rman, Jul 15, 2011.

  1. dob3rman

    dob3rman Active Member

    Joined:
    Feb 13, 2005
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    Files have been uploaded to my server. Today I saw this in my logs:


    Jul 15 17:41:45 Cp-Wrap[9516]: Pushing "665 ADD security.accounts.update.clientb.o.a.team.security.all.com.accounts.paypal XXXXXXXXXXXXXXXXXXXXX 0 /home/xxxx/public_html/security.accounts.update.clientb.o.a.team.security.all.com.accounts.paypal " to '/usr/local/cpanel/bin/domainadmin' for UID: 665

    How do they upload stuff?? They have ssh?

    Thanks!
     
    #1 dob3rman, Jul 15, 2011
    Last edited: Jul 15, 2011
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Which log showed this information? Without knowing which log file, it isn't possible to know how it was achieved.
     
  3. dob3rman

    dob3rman Active Member

    Joined:
    Feb 13, 2005
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    # grep ADD /var/log/secure
     
  4. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Look in /etc/passwd and find out who UID 665 is -- I'm sure it's "xxxx". At any rate, it looks like somebody simply logged into the cPanel interface of that user and added the subdomain. That would mean that the perpetrator had gained the login credentials of the "xxxx" account. It could be indicative of bigger problems, or it could just simply be that somebody stole the login credentials of "xxxx", perhaps by sniffing an unencrypted login session or perhaps by virtue of xxxx's PC being compromised by virus/trojan.

    If you don't see this problem on any other accounts, change all passwords associated with this account [including email accounts] and tell the customer they can't have access until they run a thorough virus scan on any computers they use to access their website via FTP/HTTP. Before you tell them you suspect their login information was stolen due to their computer being infected with a virus or otherwise accessed by an evildoer, pick their brain a little bit -- ask them if they have had any recent viruses on their computers, or if they have noticed strange things happening on their PCs that might be indicative of a virus.

    As far as uploading things, they could upload via FTP, SSH [if you have it enabled on the account], via the filemanager in cPanel, or via an insecure script.

    M
     
Loading...

Share This Page