The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Subdomains being added to clients accounts

Discussion in 'Security' started by host4profit, Jul 9, 2011.

  1. host4profit

    host4profit Member

    Feb 12, 2009
    Likes Received:
    Trophy Points:

    Been dealing with an ongoing issue with a number of our clients accounts across three different servers. These attackers are properly logging into clients Cpanel accounts (they appear to have the proper username and password). They create a sub-domain that is something like:

    and put the phishing files in that directory.

    IPs appear to be mainly concentrated to Russia and Nigeria.

    We continue to block IPs and change cpanel passwords. Some of the changed passwords, they have re-gained access to.

    We do not store the passwords in plain text on the server (at least we don't specifically and I don't think cpanel does either).

    All computers we use to do business with run updated anti-virus and anti-spyware. We rescanned them all to ensure there is no keyloggers on any of them (all are clean).

    When the issue occurs, we change the Cpanel password and let the client know about the situation. We ask them to scan their computer(s) with anti-virus and anti-spyware to ensure they are clean before sending out the new password. We've only had 1 client state they found a virus (not a keylogger) on their computer.

    This one has me stumped. Can't figure out how they are getting the login details for clients accounts. Looking for ideas on other avenues to go with this (free or paid).

    Is there a way to filter subdomains? Ie: if a subdomain is created that meets the criteria, that it won't be created (and to block the IP in question would be a bonus).

  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Oct 2, 2010
    Likes Received:
    Trophy Points:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello David,

    Could you open up a ticket with us for us the next time you run into one of these happening without making any changes to the account or fixing it simply for us to do a baseline check? You can submit a ticket using WHM > Support Center > Contact cPanel or via the link in my signature.

    If you could post the ticket number here upon submitting one. The main goal here is to ensure your machine is clean. We don't provide services to manage or correct machines that have been attacked, but I'm suggesting opening a ticket simply so we can ensure there isn't any service getting exploited that we might need to know about otherwise.


Share This Page