The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security Concern Questions

Discussion in 'Security' started by Maknet Corp, Dec 7, 2015.

  1. Maknet Corp

    Maknet Corp Member

    Joined:
    Jul 14, 2015
    Messages:
    22
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    We occasionally have a Cpanel account (or possibly FTP account) hacked.

    Specifically:
    - They added *.domain or <random_letters>.domain as a sub-domain
    - They uploaded a PHP script
    - They spammed out

    Normally we just clean it up, but the last account, had an empty public_html directory (e-mail only), no additional FTP accounts and the account was friend's, so I never gave the password.

    So now I'm wondering if anyone can think up any other ways of hacking the server that I can look at. I'm hoping it's not a root compromise...

    Thanks.
     
  2. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    Vulnerability or incorrect file permissions in the scripts you are running on the site
     
  3. Maknet Corp

    Maknet Corp Member

    Joined:
    Jul 14, 2015
    Messages:
    22
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    Maybe a better question:

    If somebody only had FTP (public_html), are they able to get into Cpanel?
     
  4. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
  5. Maknet Corp

    Maknet Corp Member

    Joined:
    Jul 14, 2015
    Messages:
    22
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    Thanks for the quick reply!

    So basically, in order for a user to add in a sub-domain, they _must_ have a cpanel login at some point.

    So that means the question is whether the password is compromised or the server?
     
  6. Maknet Corp

    Maknet Corp Member

    Joined:
    Jul 14, 2015
    Messages:
    22
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    So something like this:
    217.33.6.71 - xxxxx [12/05/2015:21:58:05 -0000] "GET /cpsess8899605643/frontend/x3/filemanager/showfile.html?file=testFile.txt&fileop=&dir=%2Fhome%2Fxxxxx%2Fpublic_html%2Fmy.bedandbreakfast.eu&dirop=&charset=&file_charset=utf-8&baseurl=&bas

    Means the hacker has Cpanel access?
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Assuming authentication is successful, then yes, that entry suggests access to File Manager which is only possible with the cPanel username and password. You can review /usr/local/cpanel/logs/login_log to review login attempts.

    Thank you.
     
  8. Maknet Corp

    Maknet Corp Member

    Joined:
    Jul 14, 2015
    Messages:
    22
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    Cool, thanks for the information.

    Just trying to figure out the way they got in.
     
Loading...

Share This Page