alex.bogatu

Registered
May 27, 2013
4
0
1
cPanel Access Level
Root Administrator
Hello!
My name is Alex Bogatu and i am an system engineer. I have in my administration a cPanel server with almost 1300 sites hosted. A couple a days ago this server was the target of an mass defacement attack and there were almost 1000 sites affected. The attacker apparently replaced the content of each site with his own index.html. This attacker name is Islamic Ghost Team and zone-h.com is saying that there were 30000 sites affected in just 3 or 4 days.

The big problem is that i detected that the attacker changed the root password on my server. So he, somehow, uploaded a privilege escalation script or something like that. My question is: is there some vulnerability in cPanel not yet made public? Or is there someone who got the same problem. I read on google that this is not the first time those guys crack sites.

I have version 11.36.1 (build 6).

Thanks
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Hello :)

It's always recommended to reinstall the OS if your server was rooted. It's a good idea to consult with a qualified system administrator or security specialist if your system has been exploited and you have little experience with security. Some companies list their services for this in the cPanel application catalog:

cPanel Application Catalog - System Administration Services

There are also several threads on this forum with users asking similar questions that should be helpful to you. If you are concerned that a vulnerability exists in cPanel that allowed this to happen, you should open a support ticket via:

Submit A Ticket

Thank you.
 

alex.bogatu

Registered
May 27, 2013
4
0
1
cPanel Access Level
Root Administrator
The attack was a mass defacement. There are no rootkits on the system. I wanted to know if there are vulnerabilities known in the last stable version of cpanel. This attack affected 30000 sites from multiple countries. My opinion is that this attack is an exploit based on a vulnerability in cpanel. I wanted to know if someone else had this problem. I know it was a similar attack in 2011
 

nospa

Well-Known Member
Apr 23, 2012
110
0
66
cPanel Access Level
Reseller Owner
Just verify cpanel access_logs to find if someone executed any command using WHM or cPanel user account.
 

alex.bogatu

Registered
May 27, 2013
4
0
1
cPanel Access Level
Root Administrator
I already done that. I searched every possible log file. There is no trace. But...the fact that he hacked so many sites (almost 1000 just on my server)....is not possible to be a cpanel vulnerability not yet reported?
 
Last edited:

LDHosting

Well-Known Member
Jan 19, 2008
93
2
58
cPanel Access Level
Root Administrator
The big problem is that i detected that the attacker changed the root password on my server. So he, somehow, uploaded a privilege escalation script or something like that.
You really will need to reinstall that server and restore the accounts from backups, if they have had root, that server cannot be trusted.

There have been a few kernel exploits recently, were you running an up to date kernel? Have you restored any cPanel backups recently?
 

Infopro

Well-Known Member
May 20, 2003
17,113
507
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter