Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Script Capturing Login Details on New Account?

Discussion in 'Security' started by Adrian Gonzales, Nov 5, 2018.

  1. Adrian Gonzales

    Adrian Gonzales Registered

    Joined:
    Nov 5, 2018
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United States
    cPanel Access Level:
    Root Administrator
    Hello how are you ?
    Today I received a new order for a shared hosting package.
    When checking the site of the new order, I came across a script that captures all the login details of the database and login from the cpanel control panel.
    When I visit the client site I came across a list of .txt files with user names and when I opened the file I came across the login details of the database and control panel login of every shared hosting hosted on it server.
    The script is PHP!
    I would like to know how I can handle this to avoid again in the future!
    Thank you!
     
  2. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    1,088
    Likes Received:
    442
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    This sounds awfully like your server has been exploited - possibly by a Web Shell which are often written in PHP

    Search in your favourite search engine for web shell php and see if you recognise anything.

    As for cleaning it up ...... first you need to know if the exploit can access files on other accounts and/or inside the operating system.

    If there is ANY suspicion that the exploit has escaped out of the account where you found it, the only way to ensure you have dealt with it, is to reinstall the server from scratch.

    See Why can't I clean a hacked machine - cPanel Knowledge Base - cPanel Documentation

    If you are confident that the compromise was limited to the new account, you could perhaps run a system wide clamscan, and also install and run a tool like Rootkit Hunter or chkrootkit, however it may be too late to get a true detection rate as the signatures of system files may have already been changed.

    Going forwards, when you are satisfied your server is 100% free of any malware or compromise, you should take a look at :
    Tips to Make Your Server More Secure - cPanel Knowledge Base - cPanel Documentation
    Recommended Security Settings - cPanel Knowledge Base - cPanel Documentation
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,141
    Likes Received:
    474
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Adrian Gonzales

    The advice provided by @rpvw here is solid, please let us know if you have any questions or concerns once reading through the documentation links he provided.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice