The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

most of the websites defaced

Discussion in 'Security' started by Nishant80, Apr 26, 2013.

  1. Nishant80

    Nishant80 Well-Known Member

    Joined:
    May 7, 2012
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hello,
    I noticed that most of the websites using wordpress, joomla are being hacked one by one on one of my servers. I am not entirely sure what could be the reason. Could someone please guide me what needs to be checked / done here?
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    re: most of the websites defaced

    I can pretty much guarantee it was done with symlink hacks. Script kiddies now have auto-deface scripts that will mass-deface all WP and Joomla sites on a cPanel server unless a patch like this one is installed:

    See http://forums.cpanel.net/f185/imple...optional-symlink-protection-patch-328431.html

    You should install that patch, then restore all infected accounts to a date before the first one was found hacked.
     
  3. gopkris2005

    gopkris2005 Well-Known Member

    Joined:
    Jan 9, 2007
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    INDIA
    cPanel Access Level:
    Root Administrator
    Twitter:
    re: most of the websites defaced

    Try to disable symlinks in your apache configuration and check any vulnerable scripts in your /tmp folder. If possible, check the following php settings and try to implement mod security rules.

    /http://www.cpanelkb.net/important-php-security-settings/
     
  4. sahostking

    sahostking Well-Known Member

    Joined:
    May 15, 2012
    Messages:
    299
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Cape Town, South Africa
    cPanel Access Level:
    Root Administrator
    Yes, If you don't use cloudlinux then enabled symlink protection in new apache version on EasyApache in cpanel. May help.
    Also as gopkris2005 stated ensure mod_Security is installed and working and ensure permissions are correct. Also run /scripts/securetmp on server.
     
  5. ::Gomez::

    ::Gomez:: Member

    Joined:
    Oct 13, 2003
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Disabling SSH can help? or its useless?

    Can you give 5 tips regarding the server/whm to prevent wordpress sites from being hacked?
     
  6. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    462
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    You should think of how to secure wordpress applications running on server. On shared server there must be several third party applications running. You can not tweak the server for each application. It's better to follow the guidelines from their official website to prevent the hacks.

    As far as php security is concerned,

    1)Enable suphp
    2)Install suhosin
    3)Disable malicious php functions
    4)Install csf firewall and
    5)mod security.
     
  7. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    I'd also say that the symlink hacks were probably used to deface your server as a symptom of that attack is widespread hacking. You are going to need to do two things:

    1. Mitigate against the attack - read up on it at various places, www,whmscripts.net is one and there are others
    - you probably want to change permissions on your PHP files (test on one user first) as well as installing one or more of the patches.

    2. Go through and change the database passwords of every user on the system, as well as the email passwords. The entire system has been compromised and most of these passwords will probably have been stolen and are being kept for later use somewhere. Sorry, but if you don't do this the hacks will continue even after you harden the server.

    This has been discussed for nearly a year now and it's disappointing to find so many hosts that still don't know about it. If you're upset at cPanel that they haven't done anything to protect you from it, you might want to mention it to them.
     
  8. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Also scan your /home/*/public_html/ directory through Linux Malware Detect (LMD) scanner and detect all CMDSHELL files from your server.
     
Loading...

Share This Page