Dori

Registered
Sep 23, 2013
1
0
1
cPanel Access Level
Reseller Owner
Some of the accounts in our WHM have been attacked, now the cpanel page has a hack page. We can't find anywhere that this is, how can we resolve this issue please? Webmail has the same issue.

- Link Removed -

Thanks!
Adam
 
Last edited by a moderator:

24x7server

Well-Known Member
Apr 17, 2013
1,907
95
78
India
cPanel Access Level
Root Administrator
You need to scan complete server on first priority also please see if there are any root symlinks are available. This kind of attack generally occurs when root level hacking occurred. I would suggest you to have a look on below security checklist that you should perform :

==================================
CSF hardening
Installing Mod-Security with Advanced Rules
Installing Clamav Anti Virus
Installing Maldet
Installing LSM
Installing PRM
Lockdown & Hardening the Root Password
Secure SSHD Port
sysctl.conf Hardening
host.conf Hardening
Network Security with hosts.allow & hosts.deny
nsswitch.conf Hardening
Enable DDOS Protection
Root Login Email Notifications
Noexec, Nosuid Temporary Directories (noexec Directories such as /tmp, /var/tmp, /dev/shm)
Security Updates as released by OS and/or Control Panel
Disable Unwanted Services
Enable PHP Open_Basedir Protection
Enable mod_userdir Protection
Securing Console Access
PHP5 Hardening with disabling php functions.
Configuring Anti-Spam Features to Reduce Spam
==================================

Also you can have a look at ASL kind of tool which is being much effective against hacking.
 

m0rpheu5

Well-Known Member
Jun 16, 2005
75
0
156
Brazil, Curitiba/PR
cPanel Access Level
Root Administrator
i got hacked too, all my clients got blocked by cpanel, and the suspend page was modified, ok, i unsuspend everybody, but the /cpanel /whm /webmail page redirect to a hacked page, how can i fix this??

Thanks
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
There's a "Template editor" in WHM. This is so root and/or resellers can edit pages like the suspended page, etc. If these were edited for root's templates (accounts owned by root and not a reseller) than your server is OWNED (rooted). You need to have your data center re-install the operating system and recover your users data from backups, hopefully after you figure out how you got rooted. If you have WHMCS, I'd be looking there, otherwise your root password was weak or stolen or you had an out-dated kernel that allowed privelege escalation.