The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mail subdomains of all hosted accounts have been defaced

Discussion in 'Security' started by reza1217, Oct 29, 2011.

  1. reza1217

    reza1217 Registered

    Joined:
    Jan 23, 2009
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    All my domains that have local hosted mail services have their mail.domain.com defaced. The webmail sub domain works fine. Can anyone suggest what I could try to fix this issue?
     
  2. reza1217

    reza1217 Registered

    Joined:
    Jan 23, 2009
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Re: mail subdomains of all hosted accounts have been defaced fixed

    Have fixed this by removing the index.html and index.php file which has been placed in the /usr/local/apache/htdocs/ directory.
     
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    How did someone get into that directory and upload pages? I think removing the pages is a good idea, but I wouldn't consider the problem solved either.
     
  4. morissette

    morissette Well-Known Member

    Joined:
    May 24, 2009
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Austin, TX
    cPanel Access Level:
    Root Administrator
    Typically mail.domain.com will route to the main page served up on the IP of mail.domain.com

    For example, if foodom.com was the main page that was returned when going to 123.456.78.91 and mail.somedom.com also pointed to 123.456.78.91, you would be able to determine that foodom.com was the actual site that was compromised.

    Once you determine which site is compromised it is best to get a stat of the index file so you know when the defacement occurred and then you can backtrack through the logs to see how the malicious user compromised your account.
     
  5. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Of note, the timestamps for the pages would need to be checked to get an idea when the compromise happened. Once you've removed the pages, you can then no longer tell the timestamp for when the attack occurred. That timestamp matters a lot to tell you logs to check as well as to check for any processes that might still be running from that time.
     
Loading...

Share This Page