Scary Hack | Today we got this hack - new one?
This customer has updated WHM to version 134.0.25 and has 2FA enabled.
The server also has CSF, cPHulk, and cPGuard installed.
However, a compromise occurred where access was gained via WHM, and an API token with a reverse entry under “Manage API Tokens” was created. The token has since been removed.
It appears that some other servers have the same token present as well. Notably, servers where only a single country is whitelisted and all other countries are blocked via cPHulk do not appear to be affected. This suggests that configuring cPHulk in this way may help prevent or mitigate these types of attacks.
The customer alerted us after receiving the notifications shown in the attached image.
-
Hey there! The first thing I'd do is check when exactly that token was created. It's possible it could have been created before the recent security issues happened and wasn't exploited until just now.
0 -
I checked date and time it was May 11 2026. So same day.
We ran the script that was on one of your KB articles to check for compromise. Nothing shown. Also all accounts seem ok.
0 -
ok after more investigation we checked all 3 Datacenters( in 3 different countries) we host in and all had the same token added and roughly the same time. All were fully updated so looks like hack is affecting even the newer versions.
Seems to be some global hack that happened fast. It doesnt look like it caused damage only that it changes the root password and adds that token in API Tokens.
0 -
If you'd like us to take a look you can always create a ticket, but it wouldn't have been the same attack vector as the earlier compromises.
0
Please sign in to leave a comment.
Comments
4 comments