Passwords reset on multiple accounts

DanielTud

• January 15, 2018 02:15

Hi, I have received multiple password reset confirmation emails for different cpanel accounts on the same server. I have reseted all the cpanel passwords and the root. What should I do next? Is there a whm/cpanel vulnerability? This notice is the result of a request made by a computer with the IP address of "105.158.77.142" through the "cpanel" service on the server. The remote computer"s location appears to be: Morocco (MA). The remote computer"s IP address is assigned to the provider: "ADSL_Maroc_telecom" The remote computer"s network link type appears to be: "DSL". The remote computer"s operating system appears to be: "Windows" with version "7 or 8". The system generated this notice on 2018-01-14 at 14:47:16 UTC.

• 

  DanielTud

  • January 15, 2018 07:29

  All the accounts, even the ones for which I didn't receive a password reset email, have the database compromised! For example, on the wordpress websites all the login usernames were changed to admin. Following this

  0
• 

  cPWilliamL

  • January 15, 2018 14:07

  Hi @DanielTud, Sorry to hear you are having issues with compromised accounts/passwords. I believe the accounts may have already been compromised at the application level, and the hacker has likely used this application-level access to change the contact email for the account, then used the 'reset password' function to gain access to the cPanel interface. If this is the case, you may see reset attempts at `/var/cpanel/passreset/'. You'll also see the cPanel contact email address changed for the relevant users. While restoring from a backup is a great idea, you'll also need to pinpoint how the hacker originally gained access to the application(i.e. wordpress) and patch/address that vulnerability so it doesn't occur on the new server.

  0
• 

  DanielTud

  • January 15, 2018 14:29

  Thank you for replying! I have found a suspicious file in /var/cpanel/passreset/. It is called _fake_user_12 and it was created 8 hours ago. Some other files from same path are like .floodprotect-[accountname]_default. I have replaced the account name with []. I don't think it is wordpress related because he hacked also some fresh websites with everything updated and max 2 plugins.

  0
• 

  cPWilliamL

  • January 15, 2018 16:27

  I'd recommend reaching out to your host or a security professional to determine exactly how the account was compromised. If it's a fresh account/website, it should be fairly easy to track. Unfortunately, we don't provide any security services; however, if you believe there is a security flaw with cPanel, please do open a ticket and provide specific details about the flaw. We'll be happy to ensure the compromise was not made via cPanel, but we can't really assist in forensics with site-code vulnerabilities/compromises.

  0

Please sign in to leave a comment.