The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

My CPanel was hacked

Discussion in 'General Discussion' started by billwide, Sep 13, 2007.

  1. billwide

    billwide Registered

    Joined:
    Jun 22, 2007
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Hy dear,

    My CPanel was hacked some days ago, because my client open dangerous sites and its installs a Trojan that stole his login/password of CPanel.

    When the hacked open the Cpanel - I don´t know how - he change the index page of my files.

    I change the password of CPanel, but he still continue to invasion my files!
    Could be the access of anonymous? But I stop the access of anonymous...

    What the most common ways when a CPanel is hacked?

    What could be done and what I can make to my CPanel to stay more safe?


    Thanks for all,


    Willian Souza
     
  2. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Are you certain that it was cPanel account itself that is hacked and not a vulnerable script running on that hosting account that is opening a back door to editing your website?

    Was anything other than the contents of your website modified? Is any site software you are running up to date with the latest security patches?
     
  3. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Is the problem more of your client who opened "dangerous sites" who then had his password stolen, not that the Cpanel server itself was "hacked" ?
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,468
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Suspend the account. That will lock out all users and you can have a closer look.
     
  5. nottheusual1

    nottheusual1 Active Member

    Joined:
    Jul 13, 2004
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    I'll bet it wasn't CPanel that got hacked - you've got an unwanted "visitor" who's now got some root rights to your server.

    You can try RKHunter and some other tools, but they aren't 100% fool-proof. The last box we had hacked took 4 hours to find the trojan. If the idiot had spent 10 more seconds covering his tracks, we'd haver never found it....

    Best thing to do is reinstall the OS and CPanel onto a fresh hard drive and then reinstall your accounts.

    Safest thing to do (for future reference) is not to allow root logins of any kind. All root activity should be an escalation, which your OS **should** tell you about right away. And we ALWAYS assign account passwords - that way we can at least guarantee the strength of the password from the onset.

    I'd agree with InfoPro if the attacker wasn't able to do the gymnastics and change multiple indexes.

    Back-up your data, scrub it well, and start from scratch. We've had to do it a few times over the years. And lose the customer that caused the issue, or at least blow his domain away and make him start over from scratch.
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,468
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I agree with you too. :)

    Might be too late for this one, but locking down that account should be done right when you realize theres a prob. In the first post he states "some days ago" It should have been locked down right then. Not just password change.

    Once they get in thru your site, its pretty much a given they're on the way to root in short order.
     
Loading...

Share This Page