The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

My Server is Being Used in a BruteForce Attack

Discussion in 'Security' started by iPlex, Sep 9, 2015.

  1. iPlex

    iPlex Member

    Joined:
    Feb 2, 2015
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I have a rather strange problem.....

    it would seem that my server is being used to bruteforce in to a CMS on another server because of abuse complaints going to my dedicate server provider that then get forwarded to me!

    and the odd thing is that the domain the attacks are coming from is the hostname for the Box itself..... blah.example.com

    So I backed up all the website data and then completly reinstalled the server and then put the backups of the website data back on (I also put TweakSettings, Exim and EasyApache config files)

    and the server is still being used to bruteforce into other websites and they are still coming from the machine's hostname.

    so i ran ClamAV in the /home directory and it found nothing!

    I am currently running a maldet scan of /home/*/public_html folder.

    Am I right to assume that A. an Email has malicious code in it or B. something with in cPanel/WHM does since it is using the server's hostname?

    As a side note the IP that blah.example.com (the server's hostname) is also used by a nameserver and a one of my websites (the websites address is example.com.

    Any help you guys can provide will be extremely helpful!
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Sounds to me like the site you backed up and restored is compromised. You might want to suspend that account until you've had a chance to hire a security professional to assist you with this.
     
    quizknows likes this.
  3. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,145
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    Have you found any thing in your maldet scan report ? Also I will suggest you please try to use ConfigServer eXploit Scanner (cxs) on your server OR contact your system admin to check your server.
     
  4. iPlex

    iPlex Member

    Joined:
    Feb 2, 2015
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    but the domain being used is the servers Hostname not a website's domain.

    Maldet found nothing in public_html
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  6. iPlex

    iPlex Member

    Joined:
    Feb 2, 2015
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    How can I suspend the hostname of the server? (they are multiple accounts on this server with multiple IPs...
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Have you looked into hiring someone to assist you with this yet? You should. I'm not sure we have the full story just yet. cPanel cannot assist you with a compromised server.
     
  8. Axell35

    Axell35 Member

    Joined:
    Nov 10, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
Loading...

Share This Page