cpanel whm server invation

[Quintanilha-RJ]

Good afternoon dear friends!

I currently have three dedicated servers and I'm having the same problem on three servers.

The server is being hacked and the folder and files are being added to the cpanel user accounts, my server is properly configured with cpanel plus cloudlinux

the ports open on the server are as follows:

20,21,2250,25,53,80,110,143,443,465,587,993,995,2077,2078,2079,2080,2082,2083,2086,2087,2095,2096,3306

port 2250 is a custom port for ssh connection

ConfigServer Security and Firewall and cpguard configured on the server but both are not solving my problem.


Friends here on the forum would have any ideas or help that could help me solve this.

 

[cPRex]

Hey there! It would likely be worth opening a ticket with our team, as any investigation without seeing the server is really just guessing.

If the files and directories you are seeing created are owned by the cPanel user, that would indicate the compromise is at the user level, and not the root level of the server, so at least that is good news. This is often a problem caused by keylogging software on customer machines, as passwords get stolen when that user logs into cPanel and sent to the hacker so they can acces the account.

If you submit a ticket to our team we can at least rule out common root compromises, and we also may be able to point you in the right direction as to what the original source of the compromise was.

 

[Quintanilha-RJ]

The problem is not just one server, but three servers, and not in a specific user account, but in several user accounts, files are being added and files are also being deleted from the end users. this is my preoccupation. could there be some command that i could check these envations.

 

[cPRex]

Sure, but it would still be best to look at one of the machines to see if we can determine a cause, as it's extremely unlikely to be related to the cPanel tools.

It's also possible a tool such as WordPress has experienced a compromise, either through a plugin or through a tool like AnonymousFox: https://support.cpanel.net/hc/en-us...hat-is-the-anonymousfox-address-on-my-system-

 

[plesk4lyf]

Quintanilha-RJ,

The firewall isn't going to help with exploits of this nature at all, because they're using the services to perform the exploits.

It's most likely that website code/CMS/plugins are outdated and have holes that are able to be exploited.

You should always keep the code up-to-date so security holes are patched. If it's shared hosting and you don't have that level of control over it, then I recommend looking at:

IMUNIFY360 IS A COMPREHENSIVE SECURITY SUITE FOR LINUX WEB SERVERS

Imunify Security is the best security solution for linux servers. Keep your servers safe and running and leave all anti-malware activities to Imunify360.

www.imunify360.com

Imunify360 is a all-in-one product. It includes virus/exploit scanning and web application firewall (WAF) rules.

For just exploit scanning, you can look at:

ConfigServer eXploit Scanner (cxs) – ConfigServer Services

configserver.com

There's no easy fix or silver bullet to prevent exploits on sites.

 

[Camilo Herrera]

They are using the cpanel user and password on each account to upload the files, check the last IPs that accessed the cpanel interface (.lastlogin file on the root folder). It may be a phishing attack and users just gave the password away to a malicious e-mail message. Enable 2FA on the accounts, change passwords and install a malware protection software on your servers, CXS is the best regarding price/performance and features

 

[Quintanilha-RJ]

I installed CXS on my server to avoid phishing attacks though it has gone down a lot but I still have this problem on 3 cpanel servers.

I've been thinking about changing the /home/usuario partition on my server, that would make the path not standard and thus inhibit such virus action.

If this is a solution how do I apply it to touch the /home/user partition for example /server/user.

The problems I have are password changes, files with permission changed and file inclusion in the cpanel panel to send the end user to another web address

I thank you for your help.

 

[cPRex]

I don't think changing the path would help with this situation. The user content would just be moved to a different folder. It's probably best to work with a system administrator to help get this fixed with how long this has been happening.

 

[Quintanilha-RJ]

this has been happening for some time but it is getting more complicated every day, server being invaded and with .php .html files thus leaving sites offline, and the biggest consequence is the datacenter sending abuse notifications and even risk of shutting down my server!