The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

login page hacked

Discussion in 'Security' started by Dori, Sep 23, 2013.

  1. Dori

    Dori Registered

    Joined:
    Sep 23, 2013
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    Some of the accounts in our WHM have been attacked, now the cpanel page has a hack page. We can't find anywhere that this is, how can we resolve this issue please? Webmail has the same issue.

    - Link Removed -

    Thanks!
    Adam
     
    #1 Dori, Sep 23, 2013
    Last edited by a moderator: Sep 23, 2013
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    If you suspect your server's been hacked, you should hire a professional to assist you with it. You can find that sort of thing on the cPanel AppCat, here:
    cPanel App Catalog

    Good luck with this.
     
  3. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,145
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    You need to scan complete server on first priority also please see if there are any root symlinks are available. This kind of attack generally occurs when root level hacking occurred. I would suggest you to have a look on below security checklist that you should perform :

    ==================================
    CSF hardening
    Installing Mod-Security with Advanced Rules
    Installing Clamav Anti Virus
    Installing Maldet
    Installing LSM
    Installing PRM
    Lockdown & Hardening the Root Password
    Secure SSHD Port
    sysctl.conf Hardening
    host.conf Hardening
    Network Security with hosts.allow & hosts.deny
    nsswitch.conf Hardening
    Enable DDOS Protection
    Root Login Email Notifications
    Noexec, Nosuid Temporary Directories (noexec Directories such as /tmp, /var/tmp, /dev/shm)
    Security Updates as released by OS and/or Control Panel
    Disable Unwanted Services
    Enable PHP Open_Basedir Protection
    Enable mod_userdir Protection
    Securing Console Access
    PHP5 Hardening with disabling php functions.
    Configuring Anti-Spam Features to Reduce Spam
    ==================================

    Also you can have a look at ASL kind of tool which is being much effective against hacking.
     
  4. m0rpheu5

    m0rpheu5 Well-Known Member

    Joined:
    Jun 16, 2005
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Brazil, Curitiba/PR
    cPanel Access Level:
    Root Administrator
    i got hacked too, all my clients got blocked by cpanel, and the suspend page was modified, ok, i unsuspend everybody, but the /cpanel /whm /webmail page redirect to a hacked page, how can i fix this??

    Thanks
     
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    There's a "Template editor" in WHM. This is so root and/or resellers can edit pages like the suspended page, etc. If these were edited for root's templates (accounts owned by root and not a reseller) than your server is OWNED (rooted). You need to have your data center re-install the operating system and recover your users data from backups, hopefully after you figure out how you got rooted. If you have WHMCS, I'd be looking there, otherwise your root password was weak or stolen or you had an out-dated kernel that allowed privelege escalation.
     
Loading...

Share This Page