login page hacked

[Dori]

Some of the accounts in our WHM have been attacked, now the cpanel page has a hack page. We can't find anywhere that this is, how can we resolve this issue please? Webmail has the same issue.

- Link Removed -

Thanks!
Adam

 

[Infopro]

If you suspect your server's been hacked, you should hire a professional to assist you with it. You can find that sort of thing on the cPanel AppCat, here:
cPanel App Catalog

Good luck with this.

 

[24x7server]

You need to scan complete server on first priority also please see if there are any root symlinks are available. This kind of attack generally occurs when root level hacking occurred. I would suggest you to have a look on below security checklist that you should perform :

==================================
CSF hardening
Installing Mod-Security with Advanced Rules
Installing Clamav Anti Virus
Installing Maldet
Installing LSM
Installing PRM
Lockdown & Hardening the Root Password
Secure SSHD Port
sysctl.conf Hardening
host.conf Hardening
Network Security with hosts.allow & hosts.deny
nsswitch.conf Hardening
Enable DDOS Protection
Root Login Email Notifications
Noexec, Nosuid Temporary Directories (noexec Directories such as /tmp, /var/tmp, /dev/shm)
Security Updates as released by OS and/or Control Panel
Disable Unwanted Services
Enable PHP Open_Basedir Protection
Enable mod_userdir Protection
Securing Console Access
PHP5 Hardening with disabling php functions.
Configuring Anti-Spam Features to Reduce Spam
==================================

Also you can have a look at ASL kind of tool which is being much effective against hacking.

 

[m0rpheu5]

i got hacked too, all my clients got blocked by cpanel, and the suspend page was modified, ok, i unsuspend everybody, but the /cpanel /whm /webmail page redirect to a hacked page, how can i fix this??

Thanks

 

[quizknows]

There's a "Template editor" in WHM. This is so root and/or resellers can edit pages like the suspended page, etc. If these were edited for root's templates (accounts owned by root and not a reseller) than your server is OWNED (rooted). You need to have your data center re-install the operating system and recover your users data from backups, hopefully after you figure out how you got rooted. If you have WHMCS, I'd be looking there, otherwise your root password was weak or stolen or you had an out-dated kernel that allowed privelege escalation.