The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Phishing subdomains constantly created

Discussion in 'Security' started by axel50397, Apr 18, 2015.

  1. axel50397

    axel50397 Member

    Joined:
    Feb 6, 2012
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi there,
    We are noticing it from a long time but can't find where it's from. Sometimes once a week, sometimes 3 or 4 the same day, we are receiving "abuse" emails from companies for hosting phishing websites (our IP has been blocked several times).

    At the beginning it touched only few customers using Wordpress and mysterious plugins, we didn't care a lot and suspended the accounts until reactions. Now it seems to touch anyone. We (in the team) have created few accounts for our own usage, some are active, some were never used (nothing uploaded since the creation). Despite this, every week we see phishing subdomains created (containing phishing website) or sometimes only 1 .html is created with a JS redirection to another account.

    We've noticed that sometimes it's the exact same IP in the .lastlogin, so when we grep it in cpanel logs, here is what we see:
    At first sight, I understand that he is using the login form. It's like he has the passwords (hard to believe because we create users from WHMCS with generated passwords =/ )
    Then:
    As you can see, in the first "block", he tries some accounts and fails but gains access to acct4... After that, in the second block, we see him creating the subdomains using the web panel (or a script using it), and in the third part he's using the file manager to create and modify some files on acct5...

    Users capable of setting the same password everywhere, why not. But having this attack on multiple accounts including the team's websites, it's hard to believe. Moreover, the account password can be used to access the FTP directly...

    I must say that we've run LMD and chkrootkit (and some other check scripts), but everything is negative. Has anyone encountered such an issue, or have an idea please?

    Thank you for your help.
     
  2. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator

    You might want to consider the possibility that your WHMCS install has been breached. If you don't have the latest 5.3.x version installed and are not adhering to all proper security practices with respect to the billing system, then the billing system ends up getting compromised.

    Did you add your new "team" accounts through WHMCS? If somebody has control of your WHMCS install it would be trivial for them to go and fetch the login credentials for a particular hosting account.

    M
     
  3. axel50397

    axel50397 Member

    Joined:
    Feb 6, 2012
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    This is indeed a vector. But we we've changed our WHMCS passwords and the database password at the same time. Concerning SSH, we receive an email anytime someone not whitelisted is connected, and we currently only have our IP listed. We often see SQL injections attempts (with AES_ENCRYPT strings) but as we're updated, it always fails. Strangely, these attempts are from USA while the successfully hacks are done from Tunisia. And of course, the ISP never answered our abuses.

    Yes we do, in order to keep a consistency in WHMCS. We also pay our personal hosting websites, so it's a must to use WHMCS.

    Any other idea ?
    Thank you for your help.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    651
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page