Restrict user from accessing other cPanel account files

Hamla

Registered
Apr 8, 2022
4
0
1
Serbia
cPanel Access Level
Root Administrator
Hello,

We're having an issue lately, where one user's website is breached by the hack and that hack simply spreads through the server. Therefore, having multiple sites infected with the same malware.

We're using Cloudlinux and have CageFS enabled for all users by default, but it doesn't appear to be doing the work we need.

Is there any way we can limit that malware/hack spread when one account is affected?


Thanks in advance :)
Marko
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
17,439
2,836
363
cPanel Access Level
Root Administrator
Hey there! We'd need much more information before being able to provide you with any details. The type of hack would be good to know, as I would expect something to require root-level access to the machine to spread across accounts.

We do have security tools that run whenever we log into a machine through our ticket system, so if you submit a ticket our team could check and see if they can determine the reason behind the server compromise.
 

Hamla

Registered
Apr 8, 2022
4
0
1
Serbia
cPanel Access Level
Root Administrator
Hello cPRex,

Thank you so much for jumping in to help!


The malware in most cases is phishing(social engineering) so it's just a few scripts that pretend to be something else. I am fully aware of what it is for and why, but it is quite hard for me to identify how they got in in the first place. Was it an outdated plugin in CMS, someone's password got leaked or there is a major flaw in my setup!

I'll create a ticket and provide an access to the server. As I have(I hope so) removed the current malware wave, you can find the examples in the Imunify(should keep the copy for another 24h most likely).

Thanks in advance
 

Hamla

Registered
Apr 8, 2022
4
0
1
Serbia
cPanel Access Level
Root Administrator
David responded to the ticket and provider a very detailed response. It appears that things are alright from the server-side and that malware is most likely being injected via CMS. We'll manage this on our own from this point :)