SOLVED Sites down after restoring backup

adeyjones

Member
Apr 26, 2019
24
2
3
Merseyside, UK
cPanel Access Level
Root Administrator
Hi all.

Had an issue this morning where a number of my sites have been compromised, wordpress admin passwords changed etc..

So I restored one of my EC2 snapshots from the weekend on to a new EC2 instance, so far so good. When I associate my elastic IP to the new instance, I expected this to just be a mirror image and everything be OK. Unfortunately all sites give the usual insecure warning relating to SSL certificates, and if I click to continue through to the site I get the standard cPanel "sorry" misconfiguration page. Have tried to renew SSL's but this didn't help.

Am I missing something in this process? I've had to revert back to the compromised server for now as I started to get complaints of downtime from the customers.

Thanks
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,028
313
cPanel Access Level
Root Administrator
Hey there! This is almost certainly a conflict with the IP address configuration as you mentioned. I'm not familiar with how EC2 handles the restore of the networking configuration between machines, but you likely need to ensure that all configurations are updated to use the new IP address. It's possible the IP Migration Wizard (IP Migration Wizard | cPanel & WHM Documentation) would be enough to get things working well, but you'd need to test that to see if that is all that needs to be done.
 

adeyjones

Member
Apr 26, 2019
24
2
3
Merseyside, UK
cPanel Access Level
Root Administrator
@cPRex - Thanks for your reply.

There is not actually a change in IP, that's one of the huge benefits of AWS, it is an elastic IP which once I had mirrored my instance, I could disassociate the IP from the compromised server and associate it to the new, there is no propagation time and takes effect instantly. On loading the sites from the new instance for the first time, I got the insecure warning but clicking through gives the misconfiguration errors.

As the IP and therefore hostname etc is all the same, I just cant think what the issue could be.

In the meantime, i've reverted to exporting/importing databases via phpmyadmin in WHM so that admin dashboards are accessible again using tables from before this "hack" occured.
 

adeyjones

Member
Apr 26, 2019
24
2
3
Merseyside, UK
cPanel Access Level
Root Administrator
@cPRex - All sorted :)
So once i'd re-associated my elastic IP to my new instance, I just needed to log in to WHM and change the IP in "Basic WHM Settings", then go to "change IP of multiple sites" and change all from the compromised servers private IP, rebuild https.conf and restart apache, job done and sites came online.