Constant hack attempts since the 16th of Feb

Jeff Dale

• February 21, 2015 11:55

So my CPanel server has been under constant attack. Phishing sites are being reported on many of our customers sites. Once We clean up one another pops up. Here is what has been done to harden the server. Installed ModSecurity and recompiled Apache with the latest stable versions. Changed to RUid Installed CXS and ran scans to find many sites hacked and it was cleaned up. Installed the ConfigServer Firewall script to help manage the attempts and block the repeated attacks. Changed all reseller passwords and increased password complexity to 65 Forced all clients to change passwords. Upgraded all scripts that were out of date using Softaculous. No users have SSH other than root and JailShell is enabled in case. Ran the security advisor in CPanel and made the appropriate corrections. Still they seem to be able to get it and make changes. I even terminated an account. Re-created it with a password of 13 random chars and just put a blank index.html page in the root and they were able to install the Dropbox script to upload files and setup a phishing site..... I'm getting at a loss for how these are happening. I'm probably overlooking something stupid..... Any suggestions would be greatly appreciated.

• 

  quizknows

  • February 21, 2015 17:13

  Take a look around for symlinks that may have been created prior to your switching to RUID2. If you didn't have symlink protection in place prior, an attacker could have used one site to gain access to all the DB passwords in wp-config.php and similar files. If at all possible I would consider rolling the accounts themselves back using any available backups to a pre-compromised state. This is generally the best bet as getting everything under control now could be a daunting task depending what's going on. Other than that... you're not using WHMCS are you? You sure your kernel is up to date?

  0
• 

  Jeff Dale

  • February 21, 2015 17:32

  Yeah I followed that document but apparently missed the checkmark in easyapache. I'm recompiling now to clean it all up.

  0
• 

  quizknows

  • February 21, 2015 18:04

  I'm pretty sure you don't need the "symlink race condition protection" patch if you're using RUID2.

  0
• 

  Jeff Dale

  • February 22, 2015 03:04

  ]I'm pretty sure you don't need the "symlink race condition protection" patch if you're using RUID2.

  0
• 

  24x7server

  • February 22, 2015 04:10

  Hello, I will suggest you please install Linux Malware Detect on your server and scan your all accounts through LMD

  0
• 

  cPanelMichael

  • February 23, 2015 16:17

  Hello :) You may want to try reviewing the domain access logs for the account that's exploited if it happens again to see if you can get a better idea of how it's happening. Thank you.

  0
• 

  shojib

  • February 28, 2015 00:35

  Go to WHM>Tweak settings> Enable EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel" jailshell. Or else your RUID2 will have no effect . Also you can try symlink race condition protection . And also, you can use Linux Malware Detect to cleanup malwares. Cheers, Shahriar

  0

Please sign in to leave a comment.