Server Hacked through Backdoor

ankeshanand

Well-Known Member
Mar 29, 2021
95
28
18
India
cPanel Access Level
Root Administrator
My cPanel/WHM Server got hacked and The Hacker was successful in changing the Root Password. Though, He gave back the Server access afterwards but it creates a Big Privacy Concern. As per the Hacker, He hacked through one of the Wordpress Plugins and Got into File Manager Successfuly and uploaded the Backdoor to .well-known . I have Imunify360 on My Server and Imunify360 Could not stop it. All My Servers are too secure for SSH Bruteforce and have Cloudlinux with CageFS but hacker successfully got into it. The amazing thing is that My Servers have Daily Virus Scan and Imunify360 marked the File Safe. Even SSH Access for All Accounts are activated on request and That account did not have Shell Access. cPanel should quickly make a Fix for the Backdoor.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,044
773
313
cPanel Access Level
Root Administrator
Hey there! Even if the initial hack happened through a user's WordPress plugin, there would still need to be a method to gain root access, such as through sudo as a user, or getting the password directly through a keylogger tool on a user's workstation. That would not be related to a security issue in the cPanel software.

It would be best to migrate that server's data to a new machine as there is not a way to clean the hacked server.

If you do think the file you mentioned points to a security issue with the cPanel software, please email all the details you have to our team at [email protected].
 

mtindor

Well-Known Member
Sep 14, 2004
1,378
69
178
inside a catfish
cPanel Access Level
Root Administrator
.well_known is a directory used by AutoSSL, no? I'd be concerned that somebody could have potentially found a way to use the AutoSSL process to run an exploit from /.well-known. If I ran across this scenario, i'd be emailing [email protected] pretty quickly. Hopefully it has nothing to do with an unknown exploitation vector though.

Mike
 

mtindor

Well-Known Member
Sep 14, 2004
1,378
69
178
inside a catfish
cPanel Access Level
Root Administrator
Sure, but .well-known isn't any different than any other directory under the user's public_html
Except that AutoSSL uses that directory to write a file to, at least temporarily, right? Granted, AutoSSL writing a file there isn't going to be an issue. It would only be an issue if AutoSSL were reading a file from there.

At any rate, you know way more than me. I guess I really just encourage the OP to send details to you guys anyway, just in case.
 

ankeshanand

Well-Known Member
Mar 29, 2021
95
28
18
India
cPanel Access Level
Root Administrator
The thing was intentionally Executed to make the server down though we have made a Fix. The user purposely purchased a Hosting and then uploaded its Content. As Imunify360 would do, It blocked the file 7 Times into server and the User did not have options to disable kill mode. He uploaded the Backdoor ZIP file to .well-known (I Don't know if Imunify360 scans that Folder) and then Got access. Still question is unsure that when he did not have shell access, How he made it through the Backdoor. As we checked, Another SSH Authorized Key was added in the File and we deleted that. Additionaly, We upgraded it to Version 94 and Suspended the account. I am not sure if the exploit still works or has been stopped by Imunify360 but Now I've installed Virus Scanner as an extra measure with CSF so that LFD sends a Mail whenever root is accessed.