Operating System & Version
cpanel plus cloudlinux
cPanel & WHM Version
100.0.12
Apr 9, 2022
23
2
3
Rio de Janeiro
cPanel Access Level
Root Administrator
Good afternoon dear friends!

I currently have three dedicated servers and I'm having the same problem on three servers.

The server is being hacked and the folder and files are being added to the cpanel user accounts, my server is properly configured with cpanel plus cloudlinux

the ports open on the server are as follows:

20,21,2250,25,53,80,110,143,443,465,587,993,995,2077,2078,2079,2080,2082,2083,2086,2087,2095,2096,3306

port 2250 is a custom port for ssh connection

ConfigServer Security and Firewall and cpguard configured on the server but both are not solving my problem.


Friends here on the forum would have any ideas or help that could help me solve this.
 

Attachments

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
15,163
2,410
363
cPanel Access Level
Root Administrator
Hey there! It would likely be worth opening a ticket with our team, as any investigation without seeing the server is really just guessing.

If the files and directories you are seeing created are owned by the cPanel user, that would indicate the compromise is at the user level, and not the root level of the server, so at least that is good news. This is often a problem caused by keylogging software on customer machines, as passwords get stolen when that user logs into cPanel and sent to the hacker so they can acces the account.

If you submit a ticket to our team we can at least rule out common root compromises, and we also may be able to point you in the right direction as to what the original source of the compromise was.
 
Apr 9, 2022
23
2
3
Rio de Janeiro
cPanel Access Level
Root Administrator
The problem is not just one server, but three servers, and not in a specific user account, but in several user accounts, files are being added and files are also being deleted from the end users. this is my preoccupation. could there be some command that i could check these envations.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
15,163
2,410
363
cPanel Access Level
Root Administrator

plesk4lyf

Active Member
PartnerNOC
May 21, 2018
42
7
8
Sydney
cPanel Access Level
Root Administrator
Quintanilha-RJ,

The firewall isn't going to help with exploits of this nature at all, because they're using the services to perform the exploits.

It's most likely that website code/CMS/plugins are outdated and have holes that are able to be exploited.

You should always keep the code up-to-date so security holes are patched. If it's shared hosting and you don't have that level of control over it, then I recommend looking at:

Imunify360 is a all-in-one product. It includes virus/exploit scanning and web application firewall (WAF) rules.

For just exploit scanning, you can look at:

There's no easy fix or silver bullet to prevent exploits on sites.
 
Feb 22, 2017
14
4
53
Colombia
cPanel Access Level
Root Administrator
Twitter
They are using the cpanel user and password on each account to upload the files, check the last IPs that accessed the cpanel interface (.lastlogin file on the root folder). It may be a phishing attack and users just gave the password away to a malicious e-mail message. Enable 2FA on the accounts, change passwords and install a malware protection software on your servers, CXS is the best regarding price/performance and features
 
  • Like
Reactions: cPRex
Apr 9, 2022
23
2
3
Rio de Janeiro
cPanel Access Level
Root Administrator
I installed CXS on my server to avoid phishing attacks though it has gone down a lot but I still have this problem on 3 cpanel servers.

I've been thinking about changing the /home/usuario partition on my server, that would make the path not standard and thus inhibit such virus action.

If this is a solution how do I apply it to touch the /home/user partition for example /server/user.

The problems I have are password changes, files with permission changed and file inclusion in the cpanel panel to send the end user to another web address

I thank you for your help.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
15,163
2,410
363
cPanel Access Level
Root Administrator
I don't think changing the path would help with this situation. The user content would just be moved to a different folder. It's probably best to work with a system administrator to help get this fixed with how long this has been happening.
 
Apr 9, 2022
23
2
3
Rio de Janeiro
cPanel Access Level
Root Administrator
this has been happening for some time but it is getting more complicated every day, server being invaded and with .php .html files thus leaving sites offline, and the biggest consequence is the datacenter sending abuse notifications and even risk of shutting down my server!