Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Multiple Logins Compromised... Help.

Discussion in 'General Discussion' started by Patrick-Jiffy, Mar 12, 2007.

  1. Patrick-Jiffy

    Patrick-Jiffy Registered

    Joined:
    Sep 2, 2003
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    151
    Basically this is what happened.

    We started noticing and recieving e-mails from our uplink about sub-domains created on our machine via some of the accounts that exist on the server. I then went in, checked the logs and confirmed it was a port 2082 login to those accounts(which were mine). The passwords on both accounts were different from each other as well as different from root, but to be on the safe side I changed all 3 passwords for root and the other 2 accounts used to add the phishing sites.

    Moving on, I noticed today that within a couple of weeks on the last incident I was getting logins via cpanel on 4 other accounts, none of which were mine(customers). I went in and removed the subdomains on those accounts, but the passwords in question were NOT bruteforced. I had strong passwords on my accounts that were compromised and I'm curious what I should be looking for to be able to tell HOW someone could obtain my passwords in cleartext. I have rootkit checkers that are up to date, I have APF and BFD installed and working properly. I'm at a loss and I'm hoping someone can offer some insight as to what could be occuring. Thanks in advance.

    Versions are as follows:
    WHM 10.8.0 cPanel 10.9.0-R139
    CentOS 3.8 i686 - WHM X v3.1.0

    Sincerely,

    Patrick Jones
     
    #1 Patrick-Jiffy, Mar 12, 2007
    Last edited: Mar 12, 2007
  2. Funkadelic

    Funkadelic Well-Known Member

    Joined:
    Feb 10, 2006
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    156
    So the cPanel logs were showing logins from an ip address that your clients do not use?
    Is it one IP Address or are the logins from multiple IPs?

    Have you done a traceroute on the IPs? Did you check to see if they are anonymous?

    One thing I can say though is that you should enable forced SSL login. Make sure your SSH port is not on port 22. Maybe you could change the usernames of the cPanel accounts as well?
     
    #2 Funkadelic, Mar 12, 2007
  3. Patrick-Jiffy

    Patrick-Jiffy Registered

    Joined:
    Sep 2, 2003
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    151
    cPanel access_log shows a user logging in and immediately adding subdomains/adding dirs/etc... and the ftp log shows someone ftping in several files(assuming for the phishing sites) and leaving. Thats all they do. I haven't logged any bruteforce logins to any cpanel user. It just seems REALLY odd that 4-5 accounts are compromised within a 2 month span. A lookup on the IPs stated they originated from Africa, so I blocked the entire block this recent time. The IPs were one person per incident so 2 in total.

    I am looking for any reasons on how this could occur like it is has been and if/where any vulnerabilities could be. nobody besides myself has root access, I've been all over the logs to no avail. Any help in this situation would be great.
     
    #3 Patrick-Jiffy, Mar 12, 2007
  4. rvskin

    rvskin Well-Known Member
    PartnerNOC

    Joined:
    Feb 19, 2003
    Messages:
    400
    Likes Received:
    1
    Trophy Points:
    168
    Do you run RVSkin? If yes, upgrade to latest version. If not, possibly the attacker get root WHM remote access key from one of the application which rely on the remote key. I would suggest regenerate the root WHM remote access key immediately.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 rvskin, Mar 13, 2007
  5. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    655
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Canada
    Remote access key doesn't use FTP access however. But the could have used a remote access key to grab the shadow file and were cracking passwords offline then once broken FTPed in.

    I have a script that can change all cPanel users passwords randomly with output root the admin.

    It could also be that those accounts were using easy passwords like a simple name or even their username.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #5 ramprage, Mar 13, 2007
(You must log in or sign up to post here.)
Loading...
Similar Threads - Multiple Logins Compromised
  1. geekbaaz

    Multiple cPanel servers with a common MySQL server?

    geekbaaz, Jun 21, 2018 at 3:24 AM, in forum: Database Discussion
    Replies:
    2
    Views:
    54
    cPanelMichael
    Jun 21, 2018 at 11:32 AM
  2. Remitur

    How to use multiple IP for outgoing email?

    Remitur, Jun 14, 2018, in forum: E-mail Discussion
    Replies:
    2
    Views:
    51
    dalem
    Jun 15, 2018
  3. Adam315

    Custom nameservers and multiple reseller accounts

    Adam315, Jun 7, 2018, in forum: Bind/DNS/Nameserver
    Replies:
    5
    Views:
    84
    cPanelLauren
    Jun 7, 2018
  4. ShadowBeast

    Create Multiple Websites in public_html Problem

    ShadowBeast, May 31, 2018, in forum: General Discussion
    Replies:
    1
    Views:
    232
    cPanelLauren
    Jun 1, 2018
  5. Michael Wendt

    Multiple owners to cPanel accounts

    Michael Wendt, May 31, 2018, in forum: Workarounds and Optimization
    Replies:
    3
    Views:
    103
    Michael Wendt
    Jun 1, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice