SOLVED Sites down after restoring backup

[adeyjones]

Hi all.

Had an issue this morning where a number of my sites have been compromised, wordpress admin passwords changed etc..

So I restored one of my EC2 snapshots from the weekend on to a new EC2 instance, so far so good. When I associate my elastic IP to the new instance, I expected this to just be a mirror image and everything be OK. Unfortunately all sites give the usual insecure warning relating to SSL certificates, and if I click to continue through to the site I get the standard cPanel "sorry" misconfiguration page. Have tried to renew SSL's but this didn't help.

Am I missing something in this process? I've had to revert back to the compromised server for now as I started to get complaints of downtime from the customers.

Thanks

 

[cPRex]

Hey there! This is almost certainly a conflict with the IP address configuration as you mentioned. I'm not familiar with how EC2 handles the restore of the networking configuration between machines, but you likely need to ensure that all configurations are updated to use the new IP address. It's possible the IP Migration Wizard (IP Migration Wizard | cPanel & WHM Documentation) would be enough to get things working well, but you'd need to test that to see if that is all that needs to be done.

 

[adeyjones]

@cPRex - Thanks for your reply.

There is not actually a change in IP, that's one of the huge benefits of AWS, it is an elastic IP which once I had mirrored my instance, I could disassociate the IP from the compromised server and associate it to the new, there is no propagation time and takes effect instantly. On loading the sites from the new instance for the first time, I got the insecure warning but clicking through gives the misconfiguration errors.

As the IP and therefore hostname etc is all the same, I just cant think what the issue could be.

In the meantime, i've reverted to exporting/importing databases via phpmyadmin in WHM so that admin dashboards are accessible again using tables from before this "hack" occured.

 

[cPRex]

Is there a private IP address associated with the machine that has changed?

 

[adeyjones]

No, only the Public IP which is then changed once I associate my elastic IP to it.

 

[cPRex]

We'd likely need access to the system to see where the miscommunication is. Could you submit a ticket to our team and post the number here so I can follow along?

 

[adeyjones]

@cPRex - All sorted
So once i'd re-associated my elastic IP to my new instance, I just needed to log in to WHM and change the IP in "Basic WHM Settings", then go to "change IP of multiple sites" and change all from the compromised servers private IP, rebuild https.conf and restart apache, job done and sites came online.

 

[cPRex]

Nice - I'm glad you were able to work that out!