mail subdomains of all hosted accounts have been defaced

reza1217

Registered
Jan 23, 2009
2
0
51
All my domains that have local hosted mail services have their mail.domain.com defaced. The webmail sub domain works fine. Can anyone suggest what I could try to fix this issue?
 

reza1217

Registered
Jan 23, 2009
2
0
51
Re: mail subdomains of all hosted accounts have been defaced fixed

Have fixed this by removing the index.html and index.php file which has been placed in the /usr/local/apache/htdocs/ directory.
 

morissette

Well-Known Member
May 24, 2009
119
2
66
Austin, TX
cPanel Access Level
Root Administrator
Typically mail.domain.com will route to the main page served up on the IP of mail.domain.com

For example, if foodom.com was the main page that was returned when going to 123.456.78.91 and mail.somedom.com also pointed to 123.456.78.91, you would be able to determine that foodom.com was the actual site that was compromised.

Once you determine which site is compromised it is best to get a stat of the index file so you know when the defacement occurred and then you can backtrack through the logs to see how the malicious user compromised your account.
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Of note, the timestamps for the pages would need to be checked to get an idea when the compromise happened. Once you've removed the pages, you can then no longer tell the timestamp for when the attack occurred. That timestamp matters a lot to tell you logs to check as well as to check for any processes that might still be running from that time.