Dennis84

Registered
Nov 27, 2013
4
0
1
cPanel Access Level
Root Administrator
Last week someone used the nnwhm.php (Mannu,Mass WHM exploiter) script and defaced some websites. This person had root access. The code from the script can be found here [link redacted]

What can we do to prevent this kind of hacking?

Few things we did after hack on all servers:
* Disable ssh root access
* Only give access to WHM or SSH from specified ip addresses

Before hack we had:
* Cpanel/WHM is running latest version
* CentOS 5.10 completely updated
 
Last edited by a moderator:

Dennis84

Registered
Nov 27, 2013
4
0
1
cPanel Access Level
Root Administrator
Second try to post this after first time failed (hopefully this won't become a double post)

Last week someone used nnwhm.php (Mannu,Mass WHM exploiter) to get access on 1 of our servers. What can we do to prevent this kind of hacks?

Source code can be found here: [link redacted]
 
Last edited by a moderator:

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
What kernel were you running at the time? uname -a will tell you.

If your kernel was not up to date, then root privelege escalation from a web app hack may have been possible.

Also, do you use WHMCS? There have been a lot of exploits targeting that lately.

Otherwise, check all your local machines for any viruses or keyloggers that may have stolen your password(s). If you have not done so, you should re-image the server (re-install the OS and restore site content from known good backups).
 

Dennis84

Registered
Nov 27, 2013
4
0
1
cPanel Access Level
Root Administrator
Kernel version then: 2.6.18-448.16.1.el5.lve0.8.70PAE (cloudlinux)
Kernel version now: 2.6.18-371.1.2.el5 (CentOS)

We use WHMCS, but it's not installed on this server.

We check our local machine for viruses frequently and nothing found. We have started a new check already to be sure.

Thanks for helping
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
No problem. Those kernel versions look OK.

Ensure you've kept up to date with the frenzy of WHMCS patches, there have been a lot recently. I've seen a lot of servers get rooted because of that, even when WHMCS is installed on a separate server. If the WHMCS install manages any accounts on the server in question, then it has access, and if it was compromised it could result in this issue.
 

Dennis84

Registered
Nov 27, 2013
4
0
1
cPanel Access Level
Root Administrator
We have updated WHMCS constantly when new patches came out. We will have a look into the WHMCS installation to see if we can find something wrong there.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Hello :)

Keep in mind that you should backup the accounts and reinstall the OS if the server was rooted. Also, the cPanel Security Advisor is helpful for providing you with some tips on settings that you can change for increased security.

Thank you.