most of the websites defaced

Nishant80

Well-Known Member
May 7, 2012
64
0
56
cPanel Access Level
Root Administrator
Hello,
I noticed that most of the websites using wordpress, joomla are being hacked one by one on one of my servers. I am not entirely sure what could be the reason. Could someone please guide me what needs to be checked / done here?
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
re: most of the websites defaced

I can pretty much guarantee it was done with symlink hacks. Script kiddies now have auto-deface scripts that will mass-deface all WP and Joomla sites on a cPanel server unless a patch like this one is installed:

See http://forums.cpanel.net/f185/imple...optional-symlink-protection-patch-328431.html

You should install that patch, then restore all infected accounts to a date before the first one was found hacked.
 

sahostking

Well-Known Member
May 15, 2012
366
8
68
Cape Town, South Africa
cPanel Access Level
Root Administrator
Twitter
Yes, If you don't use cloudlinux then enabled symlink protection in new apache version on EasyApache in cpanel. May help.
Also as gopkris2005 stated ensure mod_Security is installed and working and ensure permissions are correct. Also run /scripts/securetmp on server.
 

storminternet

Well-Known Member
Nov 2, 2011
460
0
66
cPanel Access Level
Root Administrator
You should think of how to secure wordpress applications running on server. On shared server there must be several third party applications running. You can not tweak the server for each application. It's better to follow the guidelines from their official website to prevent the hacks.

As far as php security is concerned,

1)Enable suphp
2)Install suhosin
3)Disable malicious php functions
4)Install csf firewall and
5)mod security.
 

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
I'd also say that the symlink hacks were probably used to deface your server as a symptom of that attack is widespread hacking. You are going to need to do two things:

1. Mitigate against the attack - read up on it at various places, www,whmscripts.net is one and there are others
- you probably want to change permissions on your PHP files (test on one user first) as well as installing one or more of the patches.

2. Go through and change the database passwords of every user on the system, as well as the email passwords. The entire system has been compromised and most of these passwords will probably have been stolen and are being kept for later use somewhere. Sorry, but if you don't do this the hacks will continue even after you harden the server.

This has been discussed for nearly a year now and it's disappointing to find so many hosts that still don't know about it. If you're upset at cPanel that they haven't done anything to protect you from it, you might want to mention it to them.