The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server compromised

Discussion in 'Security' started by mohannad1982, May 13, 2017.

  1. mohannad1982

    mohannad1982 Registered

    Joined:
    May 13, 2017
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Russia
    cPanel Access Level:
    Root Administrator
    Hello !!
    a few days ago i found a C99 shell in my files, in this path /home/user/
    so i deleted it and install ( maldet ) so i can scan the server and delete all patches or shells
    after that i see that my site is been redirected to another site to page that included ADSENSE ads, i scanned the server one more time and found that the hackers has modified one of the java scripts with another on..
    yesterday i tried to secure all files with ( chattr +i /path ) .. so i think that this will solve my problem, but the redirection to the hacker's site is stopped only 2 hours, and he return redirect my site..
    i have traffic 4 Million a month , and i am loosing all 15 years work on my site
    ( the site is in Arabic language )
    so what else i can do, and why after i secured the files it is happen ?
    thanks
     
  2. Ibrahim S

    Ibrahim S Registered

    Joined:
    May 13, 2017
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Asalaam Alaikum,

    They must have an encrypted backdoor, I would recommend you to turn off the "file_uploads" from the PHP and ensure that you don't have "exec" as well.

    Let me know if you need any further help.

    Sincerely,
     
  3. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,405
    Likes Received:
    53
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    It looks like the account is compromised.

    1. Change the password of the account immediately (Cpanel, FTP, etc..)..
    2. Scan the complete directory of your account.
    3. Secure your website, so codes cannot be manipulated in it.

    There are chances that some codes may be injected, which will trigger from time to time to get you in the same situation again..

    Maldet will not detect everything, try switching to different solutions too.
     
  4. mohannad1982

    mohannad1982 Registered

    Joined:
    May 13, 2017
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Russia
    cPanel Access Level:
    Root Administrator
    @24x7server
    Hello Bro, i did all things that you said, also i deleted the old site and now i work with original one..
    also ..
    i disabled SSH Password Authorization and i work with root’s SSH Keys. i noticed that when i restart the ssh service i receive something like that (May 15 13:24:52 server1 sshd[22330]: Received disconnect from 88.247.250.201: 11: Bye Bye)
    and when i block this IP, after 1 hour i restart the ssh service and find like this message but another IP ..
    also i notice that when i login account from root ..
    List Accounts>( the account ) after that the cpanel is opened, i have retro style, so when the cpanel opened, it opens in the root not in public_html ( as i set it up from setting Untitled.png
    i think that i have competently hacked , is there is any way to fix it ? without formatting the server
    thanks
     
  5. cPanelJasonT

    cPanelJasonT Level 2 Technical Analyst
    Staff Member

    Joined:
    Oct 21, 2014
    Messages:
    55
    Likes Received:
    6
    Trophy Points:
    83
    cPanel Access Level:
    Root Administrator
    Hello,
    The suggestions provided in this thread for removing the malware and restricting access are good suggestions. One could speculate on common methods (e.g. symlink attack), but it really requires a qualified system administrator to investigate the logs on your server and determine the source of the attack. There is a thread here where a similar question is asked:

    Log Files To Check After Account Hacked

    As far as security going forward after you have reinstalled the OS and cPanel and restored the accounts, the following document is a good place to start:

    Security - cPanel Knowledge Base - cPanel Documentation
     
Loading...

Share This Page