Phishing attacks on multiple accounts (does anyone having the same issue)

Un Area

Well-Known Member
Nov 16, 2006
90
1
156
Since a week im dealing with multiple ftp hacking issues on cpanel in one server. As far I could investigate the uploads were done by ftp login and through cpanel file manager (assuming that both cpanel login and ftp login is the same)

All the hacks had to do with phishing sites like Bank of America, a Google Docs and other stuff.

On thing i figured is to disable file manager for the feature manager. Ok the icon goes away from cpanel, but if you put the direct folder on the address bar you gain access to the filemanager template so I desided to remove the filemanager folder from the x3 theme entirely.

By the accounts i set the password strenght to 70 and changed the password to the accounts that were compromised (not hacked again anymore) but still appearing new ones.

Is rare what happened cause one the compromised accounts was one of mine and has a very strong password.

Wait comments.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,237
463
Hello :)

You can review/search the following log files to see if you are able to determine how access to the account was gained, and what actions were performed:

Code:
/var/log/messages
/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/login_log
Thank you.
 

Un Area

Well-Known Member
Nov 16, 2006
90
1
156
189.182.230.148 - ahz [05/23/2014:04:14:17 -0000] "GET /cpsess7217122952/ HTTP/1.1" 302 0 "https://www.blackshop.pro/index.html" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36" "-"
189.182.230.148 - ahz [05/23/2014:04:14:19 -0000] "GET /cpsess7217122952/frontend/x3/passwd/index.html?msg=strength HTTP/1.1" 200 0 "https://www.blackshop.pro/index.html" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36" "-"
189.182.230.148 - ahz [05/23/2014:04:14:25 -0000] "GET /cPanel_magic_revision_1261011831/frontend/x3/branding/local.css HTTP/1.1" 200 0 "https://domain.com.ar:2083/cpsess7217122952/frontend/x3/passwd/index.html?msg=strength" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36" "-"
189.182.230.148 - ahz [05/23/2014:04:15:23 -0000] "POST /cpsess7217122952/backend/passwordstrength.cgi HTTP/1.1" 200 0 "https://domain.com.ar:2083/cpsess7217122952/frontend/x3/passwd/index.html?msg=strength" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36" "-"

I found this in one account, passwordstrenght.cgi file is called.
Is there a way a hacker can read/catch the cpsess files?