The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server Comprimised

Discussion in 'General Discussion' started by SecureServing, Jun 18, 2011.

  1. SecureServing

    SecureServing Member

    Joined:
    Jun 17, 2011
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    This "Hacker" group or individual keep gaining access to my WHMCS and then using public keys to access WHM and also uploading "Malicous Shell Files" to gain access to all my files and root permissions basicly..

    I'm not sure how they are doing this since my whmcs is the latest version, the cpanel is on the latest stable build and my security is pretty tight with CSF + Mod Security / Munin Server monitor and secured Apache/PHP options.

    Please assist me on getting this fixed, the vps is being restored to a previous backup he deleted everything on the VPS (rm -rf)

    thanks.
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Have you contacted WHMCS to have them check into it? If the point of entry has been the WHMCS account, that is where you should start.

    Next, do you share the password for that account with anyone and have you scanned all computers that have logged into that account for trojans or malware? Any PC that connected to that account might have stored the password. Since WHMCS allows browser-based logins, if your browser had the password stored, anyone who managed to get a trojan or malware on that set computer could then gain entry into the machine that way. This is why looking at all computers that logged into that account should be the first line of checking if that was the entry point.
     
  3. SecureServing

    SecureServing Member

    Joined:
    Jun 17, 2011
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    No, this computer is clean and i just asked the "Hacker" he said it's not a WHMCS exploit.
     
  4. tank

    tank Well-Known Member

    Joined:
    Apr 12, 2011
    Messages:
    236
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chicago, IL
    cPanel Access Level:
    Root Administrator
    So the Hacker told its not a WHMCS exploit. LOL well that settles it. I am not calling him a liar but I think his credibility has diminished with his current activities and all. Still I would follow Tristans advice.

    Also I am rather a big newbie but do you have Host Access Control configured correctly?
     
  5. SecureServing

    SecureServing Member

    Joined:
    Jun 17, 2011
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Yes, just configured it.
     
  6. tank

    tank Well-Known Member

    Joined:
    Apr 12, 2011
    Messages:
    236
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chicago, IL
    cPanel Access Level:
    Root Administrator
    So.... did that fix your problem? Only allow the IP addresses that you want to connect and probably any local IP address just so you don't accidentally get locked out. Then deny every other IP address.

    In your csf run the test to see how secure your server is, then fix those problems one at a time.
     
  7. SecureServing

    SecureServing Member

    Joined:
    Jun 17, 2011
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    I updated WHMCS just noticed there was a minor released and he said it was a ioncube exploit somthing WHMCS Requires i updated system software and set CSF to High for past 24 Hours and Changed the contact manager so it alerts me on everything.
     
  8. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Athens Greece
  9. SecureServing

    SecureServing Member

    Joined:
    Jun 17, 2011
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Eh, No not informed WHMCS but i have upgraded the latest patch so i'm not sure.
     
  10. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Athens Greece
    apply the files also for Version: 4.5.2 if you still have issues and you think they perform a mysql rejection on whmcs contact support of whmcs Matt John etc.
    if there is a security hole on the new version they should figure it out whats wrong before we get a server exploit ASAP.
    have you installed mod security with got rules in order to avoid mysql rejections etc?
     
Loading...

Share This Page