The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

looking at log files to see if a cpanel vulnerability was used to hack a website

Discussion in 'General Discussion' started by yawnmoth, Nov 3, 2006.

  1. yawnmoth

    yawnmoth Registered

    Joined:
    Sep 8, 2006
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    A friend of mine who's running a website on a shared host was recently hacked. The only web app they have on the site is WordPress and they keep it up-to-date rather religiously (within a day of new versions being announced). This makes me think that cPanel might have been the culprit, however, I'm not really sure how to prove this. Would the server logs - which normally show requests made on port 80 - show requests made on port 2082 (ie. the "cPanel port")? If not, might cPanel, itself, be able to provide me with the logs of people who have accessed it?
     
  2. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    It could have been an "unknown" bug in Wordpress that was exploited. Probably unlikely they'd get in via cpanel - but could also be an "unknown" bug there. There are some logs in /var/cpanel that you might check out, don't know enough to be more concrete.

    I'd also spend some time reading their logs (from the Wordpress site). You could try using some tight "grep -v" patterns to filter out the normal activity lines thus reducing the volume substantially.
     
  3. randomuser

    randomuser Well-Known Member

    Joined:
    Jun 25, 2005
    Messages:
    147
    Likes Received:
    0
    Trophy Points:
    16
    /usr/local/cpanel/logs/
    /var/log/secure

    Keep in mind updating a vulnerable app within a day doesn't really mean anything. The vuln that was patched could have been (and almost guaranteed was) known by numerous individuals long before the patch was released. WordPress just released an update with something like what, 50+ bug fixes, including at least a handful of security updates?

    Within hours of the PHP unserialize() vuln being posted about for miniBB I saw someone get hacked with it. Not even close to a day.

    I'd start with the domlogs first, then the cPanel logs later. Also keep in mind that it's trivial to completely bypass the domlog.
     
Loading...

Share This Page