The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Phishing attacks on multiple user accounts

Discussion in 'Security' started by hozyali, May 22, 2014.

  1. hozyali

    hozyali Well-Known Member

    Joined:
    Jan 24, 2007
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    Hi there,

    I have a CentOS server with 60+ user accounts. Most of them are having phishing content in their random files and directories. I am not sure how to scan the whole server or home directory to detect the phishing content.

    Is there a way to handle this?

    Second issue is, it seems that most of my users are using Wordpress and Joomla etc. and that seems to be the main cause. The admin logins are compromised and hacker has uploaded phising content. So is there a way to change password of all the copies of joomla and wordpress on my server? I mean a quick sql to run directly on mysql and change passwords.

    please advise.

    thanks
     
  2. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    462
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Joomla and wordpress applications should be updated to latest version. Not only applications but you should update plugins and themes too. Secure joomla and wordpress as much as possible with the help of below URLs

    Security - Joomla! Documentation
    Hardening WordPress « WordPress Codex

    As far as default login is concerned I suggest you to use different cms user other than admin for both wordpress and joomla.
     
  3. hozyali

    hozyali Well-Known Member

    Joined:
    Jan 24, 2007
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    Thanks. The problem is, these sites are not owned by me. They belong to the clients. and even after several notices, the clients won't upgrade.

    What should be done?
     
  4. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    Depends on your terms and conditions really. You'll get the most love* by offering to walk clients through the process of fixing the issue, but you could also argue that they are technically allowing malicious third party access to their account by not upgrading their software and this is grounds for you disabling or removing their unpatched CMS.

    However I do note you state most of your accounts are afflicted, are you sure that you've not been hit by a symlink attack or similar?

    * Amount of love received in return may not equal amount of time invested
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,666
    Likes Received:
    646
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    In addition to the advice from the other posters here, you may also want to search for "wordpress" in the "Security" forum here. There are several results discussing how to handle WordPress attacks/exploits.

    Thank you.
     
Loading...

Share This Page