Does anyone know how to permanently disable "http" logins into cPanel and only leave "https" logins enabled? We want to only allow SSL connections.
One of our servers was hacked this morning. We are still searching log files, to figure out how. What happened, was that index.html file under one domain on the server was replaced with hacker's own garbage. This is classic defacing, and the owner of the garbage index file is the domain user.
So, it looks like the hacker gained access to this one user's login information and logged in through cPanel as the legitimate user would. Indeed, there was cPanel login that came this morning from Saudi Arabia computer (most likely hacked too). Also, the password (in /etc/shadow) for the user has been changed by the hacker.
It looks like the login information was sniffed when the legitimate user logged in into cPanel few minutes earlier. There may be a new script out there that does that.
If you encounter similar problem, and have more information as to how the hacker gained access to the user's login information, please post it.
Also, I find it rather intriguing that upon loggin in into cPanel Forums just few minutes ago to check any new reports on hacking, I first thing I saw was "Welcome to our newest member, cPanel Hacker". Coincidence? Who is this new memeber "cPanel Hacker" and where is he coming from?
One of our servers was hacked this morning. We are still searching log files, to figure out how. What happened, was that index.html file under one domain on the server was replaced with hacker's own garbage. This is classic defacing, and the owner of the garbage index file is the domain user.
So, it looks like the hacker gained access to this one user's login information and logged in through cPanel as the legitimate user would. Indeed, there was cPanel login that came this morning from Saudi Arabia computer (most likely hacked too). Also, the password (in /etc/shadow) for the user has been changed by the hacker.
It looks like the login information was sniffed when the legitimate user logged in into cPanel few minutes earlier. There may be a new script out there that does that.
If you encounter similar problem, and have more information as to how the hacker gained access to the user's login information, please post it.
Also, I find it rather intriguing that upon loggin in into cPanel Forums just few minutes ago to check any new reports on hacking, I first thing I saw was "Welcome to our newest member, cPanel Hacker". Coincidence? Who is this new memeber "cPanel Hacker" and where is he coming from?
