mohannad1982

Registered
May 13, 2017
2
0
1
Russia
cPanel Access Level
Root Administrator
Hello !!
a few days ago i found a C99 shell in my files, in this path /home/user/
so i deleted it and install ( maldet ) so i can scan the server and delete all patches or shells
after that i see that my site is been redirected to another site to page that included ADSENSE ads, i scanned the server one more time and found that the hackers has modified one of the java scripts with another on..
yesterday i tried to secure all files with ( chattr +i /path ) .. so i think that this will solve my problem, but the redirection to the hacker's site is stopped only 2 hours, and he return redirect my site..
i have traffic 4 Million a month , and i am loosing all 15 years work on my site
( the site is in Arabic language )
so what else i can do, and why after i secured the files it is happen ?
thanks
 

Ibrahim S

Registered
May 13, 2017
1
0
1
UK
cPanel Access Level
Root Administrator
Asalaam Alaikum,

They must have an encrypted backdoor, I would recommend you to turn off the "file_uploads" from the PHP and ensure that you don't have "exec" as well.

Let me know if you need any further help.

Sincerely,
 

24x7server

Well-Known Member
Apr 17, 2013
1,911
96
78
India
cPanel Access Level
Root Administrator
Twitter
Hi,

It looks like the account is compromised.

1. Change the password of the account immediately (Cpanel, FTP, etc..)..
2. Scan the complete directory of your account.
3. Secure your website, so codes cannot be manipulated in it.

There are chances that some codes may be injected, which will trigger from time to time to get you in the same situation again..

Maldet will not detect everything, try switching to different solutions too.
 

mohannad1982

Registered
May 13, 2017
2
0
1
Russia
cPanel Access Level
Root Administrator
@24x7server
Hello Bro, i did all things that you said, also i deleted the old site and now i work with original one..
also ..
i disabled SSH Password Authorization and i work with root’s SSH Keys. i noticed that when i restart the ssh service i receive something like that (May 15 13:24:52 server1 sshd[22330]: Received disconnect from 88.247.250.201: 11: Bye Bye)
and when i block this IP, after 1 hour i restart the ssh service and find like this message but another IP ..
also i notice that when i login account from root ..
List Accounts>( the account ) after that the cpanel is opened, i have retro style, so when the cpanel opened, it opens in the root not in public_html ( as i set it up from setting Untitled.png
i think that i have competently hacked , is there is any way to fix it ? without formatting the server
thanks
 

cPanelJasonT

Level 2 Technical Analyst
Staff member
Oct 21, 2014
54
6
83
cPanel Access Level
Root Administrator
Hello,
The suggestions provided in this thread for removing the malware and restricting access are good suggestions. One could speculate on common methods (e.g. symlink attack), but it really requires a qualified system administrator to investigate the logs on your server and determine the source of the attack. There is a thread here where a similar question is asked:

Log Files To Check After Account Hacked

As far as security going forward after you have reinstalled the OS and cPanel and restored the accounts, the following document is a good place to start:

Security - cPanel Knowledge Base - cPanel Documentation