Skip to main content

Need help restoring template pages

Comments

5 comments

  • luisgflores
    UPDATE: Found the defaced "suspended account" template in /var/cpanel/webtemplates/, after replacing them with the ones in /var/cpanel/webtemplates/root, it works fine. Still need to find files for cPanel landing page ("x3" theme at least).
    0
  • luisgflores
    UPDATE: I have learned some things that might be obvious to more experienced users. First, unaffected accounts belong to one particular reseller, so the attack must have been done using one reseller's account. That is why unaffected accounts "oddly" did not have defaced cPanel/suspended pages, and also why the compromised "suspended" template was in /var/cpanel/webtemplates/ Second, what I was referring to as the "paper_lantern and x3 themes" are, in fact the "basic" and "retro" STYLES for paper_lantern. So, the behaviour I described should be updated to: I found that in the (defaced) page you can access an option to change the style, and if you select "basic" (the defauilt is "retro"), you can access all options normally. If you then switch back to "retro", the defaced page returns. However, I cannot find the right file for the "retro" style that would deface all of this reseller's accounts' cPanel main pages (as in /var/cpanel/webtemplates/ for the suspended notice). Files in /usr/local/cpanel/base/frontend/paper_lantern/styled/retro and /usr/local/cpanel/base/frontend/paper_lantern/home/retro are not compromised. Any advice?
    0
  • TerranceR
    Hello, It sounds like your server may have been root compromised, I do strongly suggest considering migrating to a New Clean Server ASAP. You can read more about why within our Documentation at
    0
  • luisgflores
    Thank you for answering. At first we thought so too, but after investigating we don't anymore: -The vulnerability only allows remote execution of code, which we think the attacker used to change that particular reseller's password and then access via whm. That's why only that reseller's accounts were affected. -There is an alarm set up to fire anytime the 'root' account logs on to WHM or SSH. It did not trigger. Anyway we finally found out that the attacker modified the "WHM & cPanel news" for that reseller. I could not find the actual files that do this, but by logging to WHM with that reseller's account we were able to delete the defacing code. I will leave this here in case someone else finds it useful.
    0
  • cPanelMichael
    Hello, I'm happy to see you were able to address the issue. Thank you for updating us with the outcome.
    0

Please sign in to leave a comment.