Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Passwords reset on multiple accounts

Discussion in 'Security' started by DanielTud, Jan 15, 2018.

  1. DanielTud

    DanielTud Member

    Joined:
    Feb 17, 2017
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Romania
    cPanel Access Level:
    Reseller Owner
    Hi,

    I have received multiple password reset confirmation emails for different cpanel accounts on the same server.

    I have reseted all the cpanel passwords and the root. What should I do next?

    Is there a whm/cpanel vulnerability?

    This notice is the result of a request made by a computer with the IP address of “105.158.77.142” through the “cpanel” service on the server.
    The remote computer’s location appears to be: Morocco (MA).

    The remote computer’s IP address is assigned to the provider: “ADSL_Maroc_telecom”

    The remote computer’s network link type appears to be: “DSL”.

    The remote computer’s operating system appears to be: “Windows” with version “7 or 8”.

    The system generated this notice on 2018-01-14 at 14:47:16 UTC.
     
    #1 DanielTud, Jan 15, 2018
    Last edited: Jan 15, 2018
  2. DanielTud

    DanielTud Member

    Joined:
    Feb 17, 2017
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Romania
    cPanel Access Level:
    Reseller Owner
    All the accounts, even the ones for which I didn't receive a password reset email, have the database compromised! For example, on the wordpress websites all the login usernames were changed to admin.

    Following this cpanel article it seems I should restore the backups on a fresh server...


    LE 1: From the access_log I can see that the cpanel passwords have been reseted by login into each cpanel account.
     
    #2 DanielTud, Jan 15, 2018
    Last edited: Jan 15, 2018
  3. cPWilliamL

    cPWilliamL cP Technical Analyst II
    Staff Member

    Joined:
    May 15, 2017
    Messages:
    257
    Likes Received:
    27
    Trophy Points:
    103
    Location:
    America
    cPanel Access Level:
    Root Administrator
    Hi @DanielTud,

    Sorry to hear you are having issues with compromised accounts/passwords. I believe the accounts may have already been compromised at the application level, and the hacker has likely used this application-level access to change the contact email for the account, then used the 'reset password' function to gain access to the cPanel interface. If this is the case, you may see reset attempts at `/var/cpanel/passreset/'. You'll also see the cPanel contact email address changed for the relevant users.

    While restoring from a backup is a great idea, you'll also need to pinpoint how the hacker originally gained access to the application(i.e. wordpress) and patch/address that vulnerability so it doesn't occur on the new server.
     
  4. DanielTud

    DanielTud Member

    Joined:
    Feb 17, 2017
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Romania
    cPanel Access Level:
    Reseller Owner
    Thank you for replying!

    I have found a suspicious file in /var/cpanel/passreset/. It is called _fake_user_12 and it was created 8 hours ago.

    Some other files from same path are like .floodprotect-[accountname]_default. I have replaced the account name with [].

    I don't think it is wordpress related because he hacked also some fresh websites with everything updated and max 2 plugins.
     
  5. cPWilliamL

    cPWilliamL cP Technical Analyst II
    Staff Member

    Joined:
    May 15, 2017
    Messages:
    257
    Likes Received:
    27
    Trophy Points:
    103
    Location:
    America
    cPanel Access Level:
    Root Administrator
    I'd recommend reaching out to your host or a security professional to determine exactly how the account was compromised. If it's a fresh account/website, it should be fairly easy to track. Unfortunately, we don't provide any security services; however, if you believe there is a security flaw with cPanel, please do open a ticket and provide specific details about the flaw. We'll be happy to ensure the compromise was not made via cPanel, but we can't really assist in forensics with site-code vulnerabilities/compromises.
     
    quizknows likes this.
Loading...

Share This Page