Skip to main content

Suspicious Activity Errors

Comments

5 comments

  • cPanelLauren
    Hello @Talha Zahid What have you used to scan and what steps exactly have you taken already? It sounds like at this point you'd need to contact your provider or a system administrator to fully investigate/identify the source of the compromise. If you don't have a system administrator you might find one here: System Administration Services | cPanel Forums Thanks!
    0
  • Talha Zahid
    I have added the IP address to csf & cphulk block list, removed the forwarder and scanned the compromised account using maldet but found nothing suspicious in the result. What steps do you suggest.
    0
  • cPanelLauren
    Hello @Talha Zahid Are you running any CMS software such as WordPress on the account? Unfortunately, while you may have removed the malware it could still be re-added if you're continuing to use a vulnerable theme/plugin associated with the CMS software. It may be best to discuss this with your system administrator. If you don't have one you might find one here: System Administration Services | cPanel Forums Thanks!
    0
  • Talha Zahid
    Hello @cPanelLauren yes client is using CMS on their hosting account and i am pretty sure that the intrusion did not took place as per access logs. We did discussed it with our system administrator and as per their suspection the hacker has used the password for logging into the account. And for the reference they are pointing us to the following log. 41.203.xx.xx - Accounts%40xyz.com [03/10/2019:21:32:24 -0000] "POST /cpsess05248344/3rdparty/roundcube/?_task=mail&_action=refresh HTTP/1.1" 200 0 "https://xyz.com:2096/cpsess05248344/3rdparty/roundcube/?_task=mail&_mbox=INBOX" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36" "s" "-" 2096
    I'm not sure if the above log suggest that the hacked authenticated the system. Besides what's making me abit upset is the error log which i posted earlier, could it be the point of entry into the cpanel - wredirect.cgi? apache2/error_log:[Mon Mar 11 02:54:53.114482 2019] [cgi:error] [pid 31267] [clien 13553] AH01215: Use of uninitialized value $ENV{"HTTPS"} in string eq at /usr/local/cpanel/Cpanel/Redirect.pm line 97.: /usr/local/cpanel/cgi-sys/wredirect.cgi
    0
  • cPanelLauren
    At this point as it's difficult to tell you specifically what's happening without the full picture, can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved. Thanks!
    0

Please sign in to leave a comment.