Is it me or the ISP to blame for cPanel hack?

[BarbaraZA]

Good day everybody

I am a web designer and maintain 26 domains. I am the only person with cPanel login details from a front-end perspective. I don't have access to the backend of cPanel being an end-user, so I need some advice from you clever people please.

During the past 2 weeks, half of the domains were accessed via cPanel by the same IP address. This person proceeded to create a sub-folder and upload a fake portal/script for online banking. The same pattern is followed in all of the compromised domains.

What I have seen:

.lastlogin records show the bad IP address login time and date
Raw Access files show the files that were uploaded by bad IP address
He/She used a gmail and yahoo account to send a test message from the server
WordPress firewall logs show no indication of brute force entry

What I have in place:

I use 30 character auto generated passwords for cPanel
Two of the compromised domains have no website (ISP keeps telling me to update WP)
File permissions do not exceed 750
The WP sites all have firewalls and 2FA logins with strong passwords (WordFence and iThemes)
WP sites are updated

The ISP blames me for the breach. I need to know how this happened to prevent it but they are not helpful at all.

What information do you wonderful clever people need from me to ascertain what happened and how to prevent it? Needless to say, this experience hurt my business and that of my clients.

Thank you!
Barbara

 

[cPanelLauren]

During the past 2 weeks, half of the domains were accessed via cPanel by the same IP address. This person proceeded to create a sub-folder and upload a fake portal/script for online banking. The same pattern is followed in all of the compromised domains.

How were they accessed?

The ISP blames me for the breach. I need to know how this happened to prevent it but they are not helpful at all.

I'm going to assume you mean Hosting Provider, not ISP in this instance.

The WP sites all have firewalls and 2FA logins with strong passwords (WordFence and iThemes)
WP sites are updated

Whether or not you have this configured, if one site on a cPanel account is using a vulnerable theme or plugin it is possible for a compromise to affect all domains on that account. You might suggest your hosting provider run a malware scan on the account to identify the source of the compromise if it exists. Otherwise, the only viable method they would have access would be a password compromise on either an FTP account or cPanel admin account which would need to be addressed by removing all affected scripts, blocking the offending IP address and changing the passwords.

cPanel has no control over the vulnerability of the content hosted on the server nor does it have any control over a potentially compromised password, considering that we do offer methods which you can employ to limit these kinds of situations.

 

[BarbaraZA]

Good day

Thank you for your reply.

(In my village we use the term ISP to imply hosting provider, since every ISP offers hosting too - sorry for the confusion) ;-)

The .lastlogin records indicate the bad IP address logged directly into cPanel for various domains. Raw Access records show him uploading the script, sending a test email and leaving. It all takes about 2 minutes.

• The hosting provider told me to update and secure WP. WP is secure and updated.
• Some hacked domains do not have a website, the client is only making use of email
• Some hacked sites are hand coded html and/or php
• This morning the hosting provider told me that I must have a keylogger on my PC. I scan with updated Spybot and Malwarebytes on a regular basis. In fact, my HDD was replaced 7 days ago, right in the middle of the attacks taking place
• My PC is the only one that accesses the cPanel - my clients have no access to it
• I use strong, unique, auto-generated passwords for everything. I reset all of them on Sunday, but on Monday one more site was infected with the malicious script
• Domains hosted with other local providers have remained unaffected

This morning I noticed the hosting provider activated ModSecurity and suexec across the board. I have also not seen any additional bad IP logins.

It is not a blame-game between the hosting provider and myself. I just need to understand what happened. A blocked client website is not good news for anyone and I have to prevent it from happening again.

Thank you for your time.
Barbara

 

[devzeronull]

Hello Barbara,

Check the contents of the .contactemail file there might be also a .contactinfo file with the e-mail address of the hacker . See https://features.cpanel.net/topic/remove-the-use-of-contactemail-hidden-file for more info regarding this.

 

[cPanelLauren]

The .lastlogin records indicate the bad IP address logged directly into cPanel for various domains. Raw Access records show him uploading the script, sending a test email and leaving. It all takes about 2 minutes.

This would indicate that the person has your password through one form or another. @devzeronull if that was the case in this instance the user would have had their password changed - this is not what is occurring here as far as I am aware. In this instance, it would appear that the attacker has direct access to the cPanel account.

What I would do at this point:

• request your provider run a malware scan on the account - this can be done by you if you have ClamAV by going to cPanel>>Advanced>>Virus Scanner -> it's entirely host-dependent though if you have access to this. Keep in mind on a single cPanel account because it's all the same UID one vulnerable script can potentially leave every site on that specific account vulnerable whether or not you have a CMS.
• Once you're positive no further compromise on the account exists, I would ensure that you change all passwords associated with the account
• It sounds like you've done due diligence with the CMS installations you have present so I won't remark on those.
• If you haven't done so already, I'd block any/all IP addresses you're aware of being used to access the server by the attacker, this can be done by going to cPanel>>Security>>IP Blocker
• I'd also suggest enabling 2FA if it's available to your account, you can do this by going to cPanel>>Security>>Two Factor Authentication

 

[BarbaraZA]

Good morning

Thank you kindly for all the information and advice.

The hosting provider blocked the IP address across the board and performed a malware scan on their end. I have requested access to 2FA for cPanel.

What a nasty experience! Thank you again for your time and trouble.

Regards
Barbara