Server Hacked through Backdoor

[ankeshanand]

My cPanel/WHM Server got hacked and The Hacker was successful in changing the Root Password. Though, He gave back the Server access afterwards but it creates a Big Privacy Concern. As per the Hacker, He hacked through one of the Wordpress Plugins and Got into File Manager Successfuly and uploaded the Backdoor to .well-known . I have Imunify360 on My Server and Imunify360 Could not stop it. All My Servers are too secure for SSH Bruteforce and have Cloudlinux with CageFS but hacker successfully got into it. The amazing thing is that My Servers have Daily Virus Scan and Imunify360 marked the File Safe. Even SSH Access for All Accounts are activated on request and That account did not have Shell Access. cPanel should quickly make a Fix for the Backdoor.

 

[cPRex]

Hey there! Even if the initial hack happened through a user's WordPress plugin, there would still need to be a method to gain root access, such as through sudo as a user, or getting the password directly through a keylogger tool on a user's workstation. That would not be related to a security issue in the cPanel software.

It would be best to migrate that server's data to a new machine as there is not a way to clean the hacked server.

If you do think the file you mentioned points to a security issue with the cPanel software, please email all the details you have to our team at [email protected].

 

[mtindor]

.well_known is a directory used by AutoSSL, no? I'd be concerned that somebody could have potentially found a way to use the AutoSSL process to run an exploit from /.well-known. If I ran across this scenario, i'd be emailing [email protected] pretty quickly. Hopefully it has nothing to do with an unknown exploitation vector though.

Mike

 

[cPRex]

Sure, but .well-known isn't any different than any other directory under the user's public_html

 

[mtindor]

Sure, but .well-known isn't any different than any other directory under the user's public_html

Except that AutoSSL uses that directory to write a file to, at least temporarily, right? Granted, AutoSSL writing a file there isn't going to be an issue. It would only be an issue if AutoSSL were reading a file from there.

At any rate, you know way more than me. I guess I really just encourage the OP to send details to you guys anyway, just in case.

 

[cPRex]

For sure - anything like that should get all the details you have sent to our security email address so we can check it out!

 

[ankeshanand]

The thing was intentionally Executed to make the server down though we have made a Fix. The user purposely purchased a Hosting and then uploaded its Content. As Imunify360 would do, It blocked the file 7 Times into server and the User did not have options to disable kill mode. He uploaded the Backdoor ZIP file to .well-known (I Don't know if Imunify360 scans that Folder) and then Got access. Still question is unsure that when he did not have shell access, How he made it through the Backdoor. As we checked, Another SSH Authorized Key was added in the File and we deleted that. Additionaly, We upgraded it to Version 94 and Suspended the account. I am not sure if the exploit still works or has been stopped by Imunify360 but Now I've installed Virus Scanner as an extra measure with CSF so that LFD sends a Mail whenever root is accessed.

 

[jaifar]

The same thing happened to me last week, the hacker is able to
1. change the root password
2. deleted all files under my one of the cPanel account public_html
3. uploaded folder with name Bots.

really can't understand how he did that !!!

anyway, after the case, I have enabled the Bruteforce, enabled Imunify360 and purshased Bitninja

 

[cPRex]

@jaifar - if the server was root compromised, it would be best to migrate your data to a new machine with a new root password, as it is not possible to "clean" an infected system completely as there is no way to know what backdoors may exist. We have some additional details on this here:

Why Can't I Clean a Hacked Machine? | cPanel & WHM Documentation

This document explains why you can't clean a hacked machine.

docs.cpanel.net

 

[arlindmurati]

I agree with @cPRex you should migrate the files asap, I don't believe in cleaning a hacked website/server, however, I don't agree with the line " All My Servers are too secure for SSH Bruteforce", there is no too secure, too safe in the tech industry.

The server didn't get hacked through cPanel, but through a WordPress website which seems to have been unsecured.

My recommendation after migrating to a new server, move your emails to a service provider such gmail (so mail.domain won't expose your server's IP) and move your DNS to cloudflare.

Regarding to WordPress, change default WordPress login url to something custom with the help of "wps-hide-login", install a security plugins such as "wordfence", make sure you update your WordPress as soon as a stable version is released.

Regarding to the server, install CSF, disable ssh root password authentication, change default ssh port, enable SSH authentication only via SSH keys, disable mysql remote connections, setup 2fa on your whm root login and cPanel accounts (if you are to lazy to login and everytime type the 2fa code, you can just type whmlogin on ssh and it will generate a single sign on URL) setup a backup onsite and offsite and you will be just fine .


P.S Change DB passwords