Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

looking at log files to see if a cpanel vulnerability was used to hack a website

Discussion in 'General Discussion' started by yawnmoth, Nov 3, 2006.

  1. yawnmoth

    yawnmoth Registered

    Sep 8, 2006
    Likes Received:
    Trophy Points:
    A friend of mine who's running a website on a shared host was recently hacked. The only web app they have on the site is WordPress and they keep it up-to-date rather religiously (within a day of new versions being announced). This makes me think that cPanel might have been the culprit, however, I'm not really sure how to prove this. Would the server logs - which normally show requests made on port 80 - show requests made on port 2082 (ie. the "cPanel port")? If not, might cPanel, itself, be able to provide me with the logs of people who have accessed it?
  2. brianoz

    brianoz Well-Known Member

    Mar 13, 2004
    Likes Received:
    Trophy Points:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    It could have been an "unknown" bug in Wordpress that was exploited. Probably unlikely they'd get in via cpanel - but could also be an "unknown" bug there. There are some logs in /var/cpanel that you might check out, don't know enough to be more concrete.

    I'd also spend some time reading their logs (from the Wordpress site). You could try using some tight "grep -v" patterns to filter out the normal activity lines thus reducing the volume substantially.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. randomuser

    randomuser Well-Known Member

    Jun 25, 2005
    Likes Received:
    Trophy Points:

    Keep in mind updating a vulnerable app within a day doesn't really mean anything. The vuln that was patched could have been (and almost guaranteed was) known by numerous individuals long before the patch was released. WordPress just released an update with something like what, 50+ bug fixes, including at least a handful of security updates?

    Within hours of the PHP unserialize() vuln being posted about for miniBB I saw someone get hacked with it. Not even close to a day.

    I'd start with the domlogs first, then the cPanel logs later. Also keep in mind that it's trivial to completely bypass the domlog.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice