Shared Hosting, PHP Version Changed, Accidental or Malicious?

Fatboy40

Registered
Aug 10, 2020
1
0
1
United Kingdom
cPanel Access Level
Website Owner
This is a bit of a wild speculative post, so please excuse me if I'm talking nonsense.

At my current employer we host externally a few websites, one of which still resides on an ancient shared Linux hosting package, however the cPanel managing it is at version 88.0.13 and in the IT department we manage all hosting with a Marketing department and third parties managing the websites content. Just over a week ago the website on the shared hosting became unavailable, 500 errors when browsing, and in cPanel we discovered that the PHP version had been changed. We contacted the host, and they could only find ourselves having accessed the cPanel (via confirming our public IP address in logs).

This is where I get to the crux of this post, in that both our Marketing department and third parties have stated that they did not log into cPanel and change the PHP version (and I've no evidence to believe otherwise). Also I'm assuming that the cPanel environment provides a robust container on the shared host so that the version of PHP used will remain static unless a human chooses to change it?

So, weird question here, is there any possibility that cPanel had a "hiccup" and another cPanel account on the shared host changed their PHP version but it was ours that was effected by the change? If not, and cPanel is a robust trusted management platform, then I'm left with the possibility that someone is telling me a lie or an unknown third party knows the login credentials for our account and the change was malicious.

Thank you for any insight anyone can provide me with on the above.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,297
1,251
313
Houston
The version of cPanel should remain static unless someone manually changes it, yes. The host also has access to change the PHP version per domain from WHM. The POST request from the access logs looks as follows:

Code:
<MyIPAddress> - root [08/10/2020:20:49:43 -0000] "POST /cpsess1989687553/json-api/php_set_vhost_versions HTTP/1.1" 200 0 "https://server.myserver.us:2087/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36" "s" "-" 2087
<MyIPAddress> - root [08/10/2020:20:50:01 -0000] "POST /cpsess1989687553/json-api/php_get_vhost_versions HTTP/1.1" 200 0 "https://server.myserver.us:2087/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36" "s" "-" 2087
There's no indication of the specific domain which is being modified so it is possible someone could have mistakenly done this.