The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mass defacement

Discussion in 'Security' started by alex.bogatu, May 28, 2013.

  1. alex.bogatu

    alex.bogatu Registered

    Joined:
    May 27, 2013
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello!
    My name is Alex Bogatu and i am an system engineer. I have in my administration a cPanel server with almost 1300 sites hosted. A couple a days ago this server was the target of an mass defacement attack and there were almost 1000 sites affected. The attacker apparently replaced the content of each site with his own index.html. This attacker name is Islamic Ghost Team and zone-h.com is saying that there were 30000 sites affected in just 3 or 4 days.

    The big problem is that i detected that the attacker changed the root password on my server. So he, somehow, uploaded a privilege escalation script or something like that. My question is: is there some vulnerability in cPanel not yet made public? Or is there someone who got the same problem. I read on google that this is not the first time those guys crack sites.

    I have version 11.36.1 (build 6).

    Thanks
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    It's always recommended to reinstall the OS if your server was rooted. It's a good idea to consult with a qualified system administrator or security specialist if your system has been exploited and you have little experience with security. Some companies list their services for this in the cPanel application catalog:

    cPanel Application Catalog - System Administration Services

    There are also several threads on this forum with users asking similar questions that should be helpful to you. If you are concerned that a vulnerability exists in cPanel that allowed this to happen, you should open a support ticket via:

    Submit A Ticket

    Thank you.
     
  3. alex.bogatu

    alex.bogatu Registered

    Joined:
    May 27, 2013
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    The attack was a mass defacement. There are no rootkits on the system. I wanted to know if there are vulnerabilities known in the last stable version of cpanel. This attack affected 30000 sites from multiple countries. My opinion is that this attack is an exploit based on a vulnerability in cpanel. I wanted to know if someone else had this problem. I know it was a similar attack in 2011
     
  4. nospa

    nospa Well-Known Member

    Joined:
    Apr 23, 2012
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Reseller Owner
    Just verify cpanel access_logs to find if someone executed any command using WHM or cPanel user account.
     
  5. alex.bogatu

    alex.bogatu Registered

    Joined:
    May 27, 2013
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I already done that. I searched every possible log file. There is no trace. But...the fact that he hacked so many sites (almost 1000 just on my server)....is not possible to be a cpanel vulnerability not yet reported?
     
    #5 alex.bogatu, May 28, 2013
    Last edited: May 29, 2013
  6. LDHosting

    LDHosting Well-Known Member

    Joined:
    Jan 19, 2008
    Messages:
    93
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    You really will need to reinstall that server and restore the accounts from backups, if they have had root, that server cannot be trusted.

    There have been a few kernel exploits recently, were you running an up to date kernel? Have you restored any cPanel backups recently?
     
  7. alex.bogatu

    alex.bogatu Registered

    Joined:
    May 27, 2013
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
  8. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
Loading...
Similar Threads - mass defacement
  1. kwmlr439
    Replies:
    5
    Views:
    315
  2. volunteer
    Replies:
    4
    Views:
    327

Share This Page