Yesterday during the day, one of my cPanel servers simply had most of its services disabled. My team of technicians informed me that they did not make any changes to the server settings, so I am left with two possibilities:
1 - A security hole was exploited.
2 - The cPanel application somehow caused the problem on its own.
If it was a human event, I would like to know where I can collect evidence.
The situation happened as follows:
I have received complaints from my customers that . My monitoring system also reported that the services stopped working at around 17:25 (GMT-3).
I accessed the server and noticed that almost all services were down. I also noticed that within the /etc/ directory several files appeared with the names "service+disable". Example: imapdisable. This is referenced in the printout with the name "etc-disable-services.png". Most of these files were created at the same time Jan 16 17:25.
Note: "cPHulk" has been disabled for a longer time because we use CSF/LFD as a firewall.
After noticing this, I accessed the "Service Manager" and noticed that most of the services were disabled (checkbox unchecked). See prints: "service-manager-1(2,3,4).jpg".
When I realized this, I enabled the services again and they started working normally again.
This is very strange, I don't think anyone on my team did this out of malice. I imagine that cPanel somehow disabled it (I don't know why) or there was some security hole exploited.
My cybersecurity team analyzed the integrity of my system and found no problems. What could have happened?
How can I look for clues about what happened? Is there a possibility that it was a failure of the cPanel application itself?
Please sign in to leave a comment.