Skip to main content

Email access compromised

serviz
I'm a server admin who has been combating a hacker for the past few weeks, and I urgently need to consult a security expert who can help me solve the mystery of how this hacker can continue to read my emails on a cpanel-hosted domain. The hacker originally gained access through a SQL injection vulnerability and installed a bunch of PHP shells throughout the server. I've been scanning + auditing files / upgrading + migrating domains / repeatedly changing passwords / auditing logs / etc. But I still have proof that hacker has access to emails sent to my account hosted on this server. Does anyone have ideas of what other ways a hacker can access my email outside of... - http (e.g., via shells that read /home/user/mail) - ftp (reading the /home/user/mail dir) - ssh - pop3/imap (requires password?) I'd like to offer a reward of $1,000 if someone acting as a consultant can successfully help me identify precisely how this hacker is accessing my email. Please PM if you can help!

Comments

2 comments

Date Votes
  • cPanelPeter cPanel Staff
    Hello, It's strongly suggested that you reload the operating system, re-install cPanel and restore. If the hacker installed various shells, the server may be root compromised and if that's the case, no amount of scanning, auditing or upgrading is going to fix that. If you missed even one shell, the hacker can use that to gain access (and install more shells). It's a losing battle at this point. We do have a list of qualified system administrators and security experts that may be able to help.
    0
  • quizknows
    If you restore the account to a new server, but there are shells hidden, they'll still have account level access. I would never advise re-image (reinstall of OS) without concrete proof of a root level hack. PHP shells can only result in rooted servers when the kernel is old enough to have un-patched privilege escalation exploits. Otherwise, the shell is stuck with permissions as dictated by the PHP handler ("nobody" with DSO, or the vhost owner with SuPHP). Unless OP has an old kernel or other evidence of root compromise, a re-image is likely wasting their time unless they also completely remove the website content. I do however second the recommendation for hiring a qualified administrator to analyse the situation.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post