Services on my cPanel server were mysteriously disabled
Yesterday during the day, one of my cPanel servers simply had most of its services disabled. My team of technicians informed me that they did not make any changes to the server settings, so I am left with two possibilities:
1 - A security hole was exploited.
2 - The cPanel application somehow caused the problem on its own.
If it was a human event, I would like to know where I can collect evidence.
The situation happened as follows:
I have received complaints from my customers that . My monitoring system also reported that the services stopped working at around 17:25 (GMT-3).
I accessed the server and noticed that almost all services were down. I also noticed that within the /etc/ directory several files appeared with the names "service+disable". Example: imapdisable. This is referenced in the printout with the name "etc-disable-services.png". Most of these files were created at the same time Jan 16 17:25.
Note: "cPHulk" has been disabled for a longer time because we use CSF/LFD as a firewall.
After noticing this, I accessed the "Service Manager" and noticed that most of the services were disabled (checkbox unchecked). See prints: "service-manager-1(2,3,4).jpg".
When I realized this, I enabled the services again and they started working normally again.
This is very strange, I don't think anyone on my team did this out of malice. I imagine that cPanel somehow disabled it (I don't know why) or there was some security hole exploited.
My cybersecurity team analyzed the integrity of my system and found no problems. What could have happened?
How can I look for clues about what happened? Is there a possibility that it was a failure of the cPanel application itself?
-
That is very interesting. I don't know of anything within cPanel/WHM that would disable these automatically (or via upcp).
I'm not aware of any exploits either, but that doesn't mean there aren't any. Seems odd though that they would only disable services.You can look in two places. The log files in /usr/local/cpanel/logs
In particular the access_log and if present the api.log if enable api log is enabled in Tweak SettingsWas this only on one cPanel server, or did it happen on multiple servers?
1 -
Very strange indeed. I didn't find anything suspicious in /usr/local/cpanel/logs/access_log, just regular customer webmail logins. Unfortunately api.log was not enabled at that time.
Yes, we have approximately 24 cPanel servers and the problem occurred on only one.
Note: Another piece of information that I don't know if it's relevant, a few hours later cPanel updated from version 116.0.9 to version 116.0.10.
Below are the secure logs and messages, if you want to take a look:LINK REMOVED
LINK REMOVED
0 -
Hello,
I've downloaded them and removed the links from your post. None of your other servers updated to 116.0.10? Just this one?I've checked our own servers that updated and we didn't see this happening.
I'll review the logs shortly when I get a chance.
0 -
I can't check them all, but at least one other server also updated this morning, but the problem described above only occurred on this server.0
-
Hello,
Then it's not likely related to an update. I also reviewed the logs, but the /var/log/messages and /var/log/secure logs won't provide any info.If your license was purchased directly through cPanel or if you are a partner, please feel free to open a ticket with us. We'll be happy to take a look.
0
Please sign in to leave a comment.
Comments
5 comments