Skip to main content
We are aware of an issue with a recent Apache update that causes proxied sites to return a "421 Misdirected Request" error. Please see the following article for more information and updates:
Websites show 421 Misdirected Request error while using EA Nginx

serious problem of phishing sites

hozyali
Its been several weeks now. My cpanel server is continuously having phishing attacks. My server's ssh port is also different. I have firewall also enabled. I also had a server admin who checked, but he could not find the root cause. I suspend the users, but the phishing comes on another user next day. Please help.

Comments

5 comments

Date Votes
  • storminternet
    Generally phishing scams, injections appears when you run outdated cms, applications, weak coded scripts. In order to avoid such issues you should run updated software, plugins, themes, secure cms passwords, ftp passwords etc. In addition to this if you use modsecurity with updated rules then it should avoid such issues.
    0
  • quizknows
    [quote="storminternet, post: 1660781">Generally phishing scams, injections appears when you run outdated cms, applications, weak coded scripts. In order to avoid such issues you should run updated software, plugins, themes, secure cms passwords, ftp passwords etc. In addition to this if you use modsecurity with updated rules then it should avoid such issues.
    All good advice. Also, are you protected against cross-account symlink attacks? When I see constant phishing on servers that aren't root compromised, it's usually because of a symlink hack used to gain credentials.
    0
  • cPanelMichael
    Hello :) The following thread provides some of the options to deal with the symlink attacks mentioned in the previous post: Solutions for handling symlink attacks Thank you.
    0
  • hozyali
    Thanks all. Mod Security is already enabled on the server. However I have many users using outdated CMS. Also notified many of them, but nobody takes it serious. and I really can't upgrade their sites as it may mess up other things and we will have to spend more time fixing their sites.
    0
  • monarobase
    Install configderver cxs and put any sites offline that have been hacked. Also look for symlinks in all customers folders if you are not using cloudlinux+cagefs. If it's " symlinks attack you will have to change all mysql passwords and implement a solution so symlinks don't allow cross site access.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post