Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Phishing attacks on multiple accounts (does anyone having the same issue)

Discussion in 'Security' started by Un Area, May 23, 2014.

  1. Un Area

    Un Area Well-Known Member

    Joined:
    Nov 16, 2006
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    156
    Since a week im dealing with multiple ftp hacking issues on cpanel in one server. As far I could investigate the uploads were done by ftp login and through cpanel file manager (assuming that both cpanel login and ftp login is the same)

    All the hacks had to do with phishing sites like Bank of America, a Google Docs and other stuff.

    On thing i figured is to disable file manager for the feature manager. Ok the icon goes away from cpanel, but if you put the direct folder on the address bar you gain access to the filemanager template so I desided to remove the filemanager folder from the x3 theme entirely.

    By the accounts i set the password strenght to 70 and changed the password to the accounts that were compromised (not hacked again anymore) but still appearing new ones.

    Is rare what happened cause one the compromised accounts was one of mine and has a very strong password.

    Wait comments.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #1 Un Area, May 23, 2014
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,384
    Likes Received:
    1,951
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello :)

    You can review/search the following log files to see if you are able to determine how access to the account was gained, and what actions were performed:

    Code:
    /var/log/messages
/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/login_log
    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 cPanelMichael, May 23, 2014
  3. Un Area

    Un Area Well-Known Member

    Joined:
    Nov 16, 2006
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    156
    189.182.230.148 - ahz [05/23/2014:04:14:17 -0000] "GET /cpsess7217122952/ HTTP/1.1" 302 0 "https://www.blackshop.pro/index.html" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36" "-"
    189.182.230.148 - ahz [05/23/2014:04:14:19 -0000] "GET /cpsess7217122952/frontend/x3/passwd/index.html?msg=strength HTTP/1.1" 200 0 "https://www.blackshop.pro/index.html" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36" "-"
    189.182.230.148 - ahz [05/23/2014:04:14:25 -0000] "GET /cPanel_magic_revision_1261011831/frontend/x3/branding/local.css HTTP/1.1" 200 0 "https://domain.com.ar:2083/cpsess7217122952/frontend/x3/passwd/index.html?msg=strength" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36" "-"
    189.182.230.148 - ahz [05/23/2014:04:15:23 -0000] "POST /cpsess7217122952/backend/passwordstrength.cgi HTTP/1.1" 200 0 "https://domain.com.ar:2083/cpsess7217122952/frontend/x3/passwd/index.html?msg=strength" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36" "-"

    I found this in one account, passwordstrenght.cgi file is called.
    Is there a way a hacker can read/catch the cpsess files?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 Un Area, May 23, 2014
(You must log in or sign up to post here.)
Loading...
Similar Threads - Phishing attacks multiple
  1. rpvw

    Phishing using the /.well-known/ directory

    rpvw, Feb 5, 2018, in forum: Security
    Replies:
    4
    Views:
    669
    rpvw
    Feb 5, 2018
  2. mjobrr

    Phishing Activity on Website

    mjobrr, Jul 11, 2017, in forum: Security
    Replies:
    3
    Views:
    556
    cPanelMichael
    Jul 12, 2017
  3. nimonogi

    How can I report a phishing email?

    nimonogi, Feb 13, 2017, in forum: Security
    Replies:
    1
    Views:
    749
    Infopro
    Feb 13, 2017
  4. kostianev

    Problems with server attacks on port 80

    kostianev, Dec 4, 2018 at 2:13 AM, in forum: Security
    Replies:
    4
    Views:
    529
    cPanelLauren
    Dec 5, 2018 at 12:26 PM
  5. Ianw5555

    Security Advisor warning about symlink ownership attacks

    Ianw5555, Sep 19, 2018, in forum: Security
    Replies:
    2
    Views:
    128
    cPanelLauren
    Sep 19, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice