Skip to main content

Account hacked and suspended

pueblosnet
A few minutes ago, one of my accounts was suspended and it was showing an arab hack message. After checking, the "suspended web template" was changed. I revert to the default and unsuspend the account and this account it's working correctly now. I also changed the root password and see at the firewall that this IP was blocked: Time: Tue Feb 3 13:44:22 2015 +0100 IP: 207.244.89.108 (US/United States/-) Failures: 5 (cpanel) Interval: 3600 seconds Blocked: Permanent Block Log entries: 207.244.89.108 - root [02/03/2015:12:41:02 -0000] "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect I notified to abuse@leaseweb.com and sent a suppot ticket to get more help but, how was this hack done? [LIST]
  • Anyother account was suspended
  • The last IP that logged correctly using the root account was a IP from cpanel support
  • Any rare command in "history"
  • Any strange running process What more can I check?

    • Comments

    4 comments

    Date Votes
    • cPanelMichael
      Hello :) It's difficult to pinpoint the specific vulnerability or exploit used by an attacker to hack your websites. One could speculate on common methods (e.g. symlink attack), but it really requires a qualified system administrator to investigate the logs on your server and determine the source of the attack. There is a thread here where a similar question is asked: Log Files To Check After Account Hacked Thank you.
      0
    • quizknows
      Changing the suspended template requires root or appropriate reseller access. If the cPanel account is owned by a reseller you may be in OK shape, but if the account is owned by root and someone managed to change that template, then your server should be considered compromised on a root level. You should migrate your sites to a new server with a clean OS installation and change all passwords. The account suspensions and template edit should be logged in the cPanel access log, unless the hacker erased the entries (which is possible with root access, but rarely is done).
      0
    • pueblosnet
      Thank you for your comments. cPanel support told me that they don't know what was, it's like the hacker know the root password. I'm double checking all but I didn't find nothing suspicious.
      0
    • quizknows
      Definitely dig deep in the logs Best advice I can give you for now, is to watch the cPanel access log (tail -f) in a terminal, and change the template yourself. You'll see the request structure like POST /whatever/?some_action=template_change The above is completely made up, but the point is, you'll have an entry with something defining in it. Adding e-mail acct's uses "addpop" and so on. Once you find that, then grep for that string in the log to see when the template was changed. With any luck you'll find the IP that was in there. If you do confirm unauthorized root access, again, the advice to migrate to a clean system is really the best bet.
      0

    Please sign in to leave a comment.

    Didn't find what you were looking for?

    New post