Reseller - Phishing Accounts

[S3RCE]

Hi all!

I've got a bit of an issue which is bugging me. I've been doing some website designs and for the past few years have been doing reseller hosting accounts for some of my clients and for myself.

I have a reseller account, which for the past couple of months has been giving me absolute headache!

I keep on getting notifications which says that a domain has some phishing content and that the content must be removed - which at this point they suspend the account.

I have changed cpanel passwords, ftp passwords and even email passwords and cannot seem to locate how these phisers get in to my account to upload content.

I smell something phishy.. as my provider constantly asks me to use their protection service; and also the fact that they want to charge me for any type of 'looking into' that they want to do.

Any help/suggestion etc will be greatly appreciated. I'm looking to move away from my provider for this reason!

Thanks

 

[amdbuilder]

Did you check the site for any exploit files and/or backdoors that would allow them to upload files? It sounds like you are doing ok with the account security.

 

[S3RCE]

Hi Amdbuilder,

Yes - the funny thing is, some accounts which have no content in have been compromised. This is the bit i don't understand!

My hosting provider are useless and want to charge me for every single account to have it looked into and keep on referring me to use one of their services - which i think they have an affiliation to.

So i'm a bit lost as to how they can get in, upload content and leave!

 

[twhiting9275]

don't blame your hosting provider for your inability to keep things up to date and secure. Obviously, you've missed something, somewhere.

 

[S3RCE]

Hi twiting9275 - thanks for your constructive response....

I don't think i've missed anything anywhere. I do periodic password changes, recently changed all passwords on all reseller accounts to 20+ characters, deleted the ftp accounts and somehow i'm still getting files uploaded.

I've never had this issue up until a few months ago, and when it happens, it constantly happens all together.

If it was one particular account i can maybe say the client side was infected - but it's happening on several accounts.

I seriously don't know where to turn. Is there any security measures/addons i can get installed for things like this to stop happening? or maybe block out any IP's that are uploading content.

I don't want to pay my hosting provider $1 because of the service that i'm getting from them. A few years ago they were good, now their support, service is going downhill. Sometimes waiting over 30minutes to be connected to their online support.

 

[S3RCE]

So no one has any idea about this?

 

[amdbuilder]

There are other methods to gain access, for example the Remote Access Key in WHM or SSH Keys in the accounts. I'm not familiar with your hosting provider's client area, but if you can access your account from it that's another possible entry point.

You are going to be somewhat limited in what you can install/do to protect your sites as a reseller. If you aren't getting the level of support or assistance from your hosting provider's to resolve the problem, you may want to consider changing hosts.

[Removed Reference To Specific Feature - Discussion of specific hosting providers is not permitted on the cPanel forums]

 

[cPanelMichael]

I have changed cpanel passwords, ftp passwords and even email passwords and cannot seem to locate how these phisers get in to my account to upload content.

Hello,

It's difficult to troubleshoot this type of issue if you do not have root access to the system. Have you asked your provider for additional information on the files that were uploaded, including relevant Apache log entries for the account?

Thank you.

 

[georgeb]

don't blame your hosting provider for your inability to keep things up to date and secure. Obviously, you've missed something, somewhere.

A user is just a user, the server administrator should go over user to protect user account and server.....That is called professional !!! The admin should inform user that the software is obsolete and to block access to that software until user will fix that. This a server side problem and should be fixed by admins not by user !!!

 

[neil white]

Hi all!

I've got a bit of an issue which is bugging me. I've been doing some website designs and for the past few years have been doing reseller hosting accounts for some of my clients and for myself.

I have a reseller account, which for the past couple of months has been giving me absolute headache!

I keep on getting notifications which says that a domain has some phishing content and that the content must be removed - which at this point they suspend the account.

I have changed cpanel passwords, ftp passwords and even email passwords and cannot seem to locate how these phisers get in to my account to upload content.

I smell something phishy.. as my hosting provider constantly asks me to use their service and also the fact that they want to charge me for any type of 'looking into' that they want to do.

Any help/suggestion etc will be greatly appreciated. I'm looking to move away from my hosting provider for this reason!

Thanks

Hi

Just to let you know that I had exactly the same issue with my reseller account and they were no help whatsoever and pushed all the blame on to me.

I had 120 accounts planted with Phishing files which did a lot of harm to many of the domains

[Removed Actual Domain Name]

All my provider kept telling was to buy their protection service yet it literally will lockdown a site not a cPanel or WHM account

Turns out that my provider has been hacked by a group who hit all their reseller accounts

 

[acenetgeorge]

The only way to keep a website truly secure is to not put it online in the first place. *shrugs* If it is online, it can be messed with. As long as the script and all plugins, themes, modules, etc. are kept up to date, the chance of hacking and phishing is usually low. But there are always chances of new exploits and security holes being found.

It is generally not the hosting company's responsibility to maintain the security of individual accounts. Make sure to keep recent backups just in case, and be willing to update software and plugins.

 

[shmeg]

It very easy to blame your provider. Unfortunately, though sometimes there can be a global hacking event that affects a server, much more often than not it is user-related reasons for the intrusion.
Phishing sites: Most are related to malware retrieved passwords on the user (and in some case resellers system!) or exploited software. Good way to obviate the risk - never type passwords - I cut and paste out of a secure local file. People may say to you that when people talk about keyloggers and malware - its blame shifting.

The best way to test it (and prove it) is to change the password: give it back to the user and see how long it takes for the site to be hacked again. (my record is 7 mins) As soon as the user retypes the password the malware rebroadcasts the password often to exploit bots.
Can be a phishing site, spam, or actual hacks make no difference.

Every person in the chain is a possible weak link. We had one reseller who was getting the same 3 or 4 sites hacked. He was clean, the end user was clean, we even went through all our tech systems that had touched the sites. Nothing. Turned out the web dev who was engaged independently by several of his users - not by him was to blame. weak link.

To track down the cause takes time and you have to be methodical. Gather logs, files cross reference sites, change all the passwords (cpanel, ftp mysql ssh if applicable), IP protect login areas, check file permissions - especial world writeable dir. It a set of skills and not something your host is responsible for. They host your site they should at least be able to point you in the right direction, though. Nothing sus about a host selling you protection software they are in business to do that and they can't hand hold every reseller or user. They should at least be able to communicate properly with you though if not change hosts many good companies would be pleased to have you.