The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Site got hacked but how?

Discussion in 'Security' started by sarwar, Nov 14, 2011.

  1. sarwar

    sarwar Member

    Joined:
    Dec 18, 2010
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Hello, Today i see one of my clients site get hacked.
    Code:
     http://eirtelbd.com/cgi-sys/suspendedpage.cgi
    My question is how they did this? and i didnt found the file in cpanel file manager. How do they hack this page? and how to prevent this?
     
  2. sumesh

    sumesh Registered

    Joined:
    Nov 14, 2011
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello Sarwar,

    Is just this site got hacked. I guess this can be a root level hack. please change your passwords and kill any suspicious process
     
  3. NixTree

    NixTree Well-Known Member

    Joined:
    Aug 19, 2010
    Messages:
    387
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gods Own Country
    cPanel Access Level:
    Root Administrator
    Hello,

    The mentioned file is the "suspended account" redirect for cPanel: ie if you suspend an account, it will redirect to the above script - its cPanel default. You can't find this script in the home directory, as it is managed by "redirects". The actual location of this file is at /usr/local/cpanel/cgi-sys/suspendedpage.cgi.

    You can check whether the domain is suepneded from WHM using Main >> Account Information >> List Suspended Accounts feature.

    Thank you,
    Nibin,
     
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Since cgi-sys is actually at /usr/local/cpanel/cgi-sys, then it would be more than the account being hacked as sumesh has stated.

    Prior to killing suspicious processes, please check the process using lsof -p PID# where PID# is the PID number of the process. I would also highly suggest hiring a system admin or security expert to go over your server to check what else might be compromised and how they were able to get into the machine to make this change.
     
  5. sarwar

    sarwar Member

    Joined:
    Dec 18, 2010
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for your reply. I am on it.
     
  6. MrVon

    MrVon Member

    Joined:
    Nov 3, 2011
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Can you temporary disable CGI for all accounts and get the log?
    for eirtelbd.com, did you have nothing there just under construction page no php scripts?
     
  7. sarwar

    sarwar Member

    Joined:
    Dec 18, 2010
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    No, There is no php scripts. There was just html page.
     
  8. sarwar

    sarwar Member

    Joined:
    Dec 18, 2010
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    I didnt find any suspicious processes, to kill. The hack page viewble only on this address (eirtelbd.com)
    But in same server and ip on other domain its not appearing, chk this-
    Code:
    http://rezax123.com/cgi-sys/suspendedpage.cgi
    Now how to remove the hack page from eirtelbd suspend page ?
     
  9. sarwar

    sarwar Member

    Joined:
    Dec 18, 2010
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    My server has been shut of by my host provider. ( Burst.net) They didnt give me option to fix it, i just want help from them and they came with tos and bring my site down. They told me to move my site other remote location and fix it. Now how can i do that? Please help
     
  10. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You'll have to go back to Burst and ask them to provide you with a Full Backup of the account I would think.

    There's nothing anyone on this forum can do to help with that.

    GL!
     
  11. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    462
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hello sarwar,

    Yes there is nothing much one can do if the server is compromised. I suggest you to scan your website with the antivirus before you upload it into new server. If there is malware , trojan in your data then chances of site getting hack more though you host it on new server.
     
  12. sarwar

    sarwar Member

    Joined:
    Dec 18, 2010
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    I have restore my old backup. bullshit hackerz..:mad:
     
  13. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Athens Greece
    i think you have to revise your security to your servers and avoid future problems
    burstnet does not suspend the boxes straight through they always send an abuse email first if they dont get an answer and solution on 24 hours they suspend after.
     
  14. whplus

    whplus Well-Known Member

    Joined:
    Dec 8, 2007
    Messages:
    66
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Behind your business
    #14 whplus, Nov 29, 2011
    Last edited: Nov 29, 2011
  15. Drake

    Drake Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Hello Sawar,

    The data center where you have your server just shut you down without even first calling you on the phone and telling you "Hey, we're disconnecting right now because you're server is spamming, causing problems, or something similar " ?

    I realize I am replying to your post a little late, but my recommendation (if that's what they have done) would be to drive over there and take your box somewhere else.

    Are you sure they didn't try calling you and maybe your phone was going to voice mail or something like that ???

    I had to reply with such intolerance, because at very least we'd call the server's owner and tell him/her they've got 20 minutes to log in and lock down the abusive traffic coming from their server on IP number whatever.

    If we could not reach him/her that instant, we would block the outbound abusive IP and try calling you again in a little while in case you weren't near your phone. I understand that the server's owner also has sites on other IPs on the box that aren't sending out abusive traffic. Therefore I would not want to punish my customer's customers. In my eyes, just unplugging your server from the switch or shutting it off, is almost like saying we don't want your business anymore. That is... unless the server owner was a non-paying habitual network offender.

    Best regards,

    Drake Pallister
    Duraserver Tech.
     
    #15 Drake, Dec 9, 2011
    Last edited: Dec 9, 2011
  16. m8internet

    m8internet Member

    Joined:
    Jan 2, 2011
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Cumbernauld, Scotland, UK
    Was this the :
    Powered By xConsoLe CorP*

    If so, my concern is how this was executed
    As above, resolving this is done by replacing the Suspended template within the Reseller account, rather than the root, as it only affects that specific reseller
     
Loading...

Share This Page