looking at log files to see if a cpanel vulnerability was used to hack a website

yawnmoth

Registered
Sep 8, 2006
1
0
151
A friend of mine who's running a website on a shared host was recently hacked. The only web app they have on the site is WordPress and they keep it up-to-date rather religiously (within a day of new versions being announced). This makes me think that cPanel might have been the culprit, however, I'm not really sure how to prove this. Would the server logs - which normally show requests made on port 80 - show requests made on port 2082 (ie. the "cPanel port")? If not, might cPanel, itself, be able to provide me with the logs of people who have accessed it?
 

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
It could have been an "unknown" bug in Wordpress that was exploited. Probably unlikely they'd get in via cpanel - but could also be an "unknown" bug there. There are some logs in /var/cpanel that you might check out, don't know enough to be more concrete.

I'd also spend some time reading their logs (from the Wordpress site). You could try using some tight "grep -v" patterns to filter out the normal activity lines thus reducing the volume substantially.
 

randomuser

Well-Known Member
Jun 25, 2005
147
0
166
/usr/local/cpanel/logs/
/var/log/secure

Keep in mind updating a vulnerable app within a day doesn't really mean anything. The vuln that was patched could have been (and almost guaranteed was) known by numerous individuals long before the patch was released. WordPress just released an update with something like what, 50+ bug fixes, including at least a handful of security updates?

Within hours of the PHP unserialize() vuln being posted about for miniBB I saw someone get hacked with it. Not even close to a day.

I'd start with the domlogs first, then the cPanel logs later. Also keep in mind that it's trivial to completely bypass the domlog.