Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

I got hacked

Discussion in 'General Discussion' started by dob3rman, Jul 15, 2011.

  1. dob3rman

    dob3rman Active Member

    Joined:
    Feb 13, 2005
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    151
    Hi,

    Files have been uploaded to my server. Today I saw this in my logs:


    Jul 15 17:41:45 Cp-Wrap[9516]: Pushing "665 ADD security.accounts.update.clientb.o.a.team.security.all.com.accounts.paypal XXXXXXXXXXXXXXXXXXXXX 0 /home/xxxx/public_html/security.accounts.update.clientb.o.a.team.security.all.com.accounts.paypal " to '/usr/local/cpanel/bin/domainadmin' for UID: 665

    How do they upload stuff?? They have ssh?

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #1 dob3rman, Jul 15, 2011
    Last edited: Jul 15, 2011
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,608
    Likes Received:
    32
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Which log showed this information? Without knowing which log file, it isn't possible to know how it was achieved.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. dob3rman

    dob3rman Active Member

    Joined:
    Feb 13, 2005
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    151
    # grep ADD /var/log/secure
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,342
    Likes Received:
    58
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Look in /etc/passwd and find out who UID 665 is -- I'm sure it's "xxxx". At any rate, it looks like somebody simply logged into the cPanel interface of that user and added the subdomain. That would mean that the perpetrator had gained the login credentials of the "xxxx" account. It could be indicative of bigger problems, or it could just simply be that somebody stole the login credentials of "xxxx", perhaps by sniffing an unencrypted login session or perhaps by virtue of xxxx's PC being compromised by virus/trojan.

    If you don't see this problem on any other accounts, change all passwords associated with this account [including email accounts] and tell the customer they can't have access until they run a thorough virus scan on any computers they use to access their website via FTP/HTTP. Before you tell them you suspect their login information was stolen due to their computer being infected with a virus or otherwise accessed by an evildoer, pick their brain a little bit -- ask them if they have had any recent viruses on their computers, or if they have noticed strange things happening on their PCs that might be indicative of a virus.

    As far as uploading things, they could upload via FTP, SSH [if you have it enabled on the account], via the filemanager in cPanel, or via an insecure script.

    M
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice