server security is breached?

niceboy

Active Member
Sep 29, 2011
41
1
58
cPanel Access Level
Root Administrator
Hi,

One of my customers site was hacked due to outdated theme. I found some php shell script.

I copied it to one of my cpanel account hosted on the server, changed the md5 password used in the script and tried accessing it thru browser.

Even though it could not allow to see any contents in /home or /root folder, I can browse to / , /usr/bin/ and /bin folders thru the script.

Is there any thing to worry here? Please respond..
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Hello :)

It's difficult to speculate on exactly what data may have been accessible. I recommend consulting with a qualified system administrator if you are concerned that your server may have been compromised. Going forward, you may want to review your existing configuration in order to prevent this type of attack. While not yet intended for general use, the cPanel Security Advisor can help provide general tips on improving your system's security.

Open source cPanel Security Advisor Addon

Thank you.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Hi,

One of my customers site was hacked due to outdated theme. I found some php shell script.

I copied it to one of my cpanel account hosted on the server, changed the md5 password used in the script and tried accessing it thru browser.

Even though it could not allow to see any contents in /home or /root folder, I can browse to / , /usr/bin/ and /bin folders thru the script.

Is there any thing to worry here? Please respond..
This is perfectly normal; those areas have to be world readable for linux to function. Most likely it's just the one site you have to worry about, get them restored/patched and you should be all set. Some other recommendations going forward would be cloudlinux with cagefs and securelinks, and perhaps atomicorp or tustwaves premium modsecurity rule sets.
 

niceboy

Active Member
Sep 29, 2011
41
1
58
cPanel Access Level
Root Administrator
Thanks for valuable suggestions..

I did check all logs and scanned with lmd, rkhunter, clamav and found nothing suspicious.

Seems that it is a single compromised site. Unfortunately, I'm on a openvz vps and can't use cloudlinux.