Cpanel Hacked :: Your Security...Get DoWn
Feb 25, 2008
When I try to access my CPanel, I get the following error message
r00t-x...here ]
your Security...Get DoWn
sorry ..
YOU ARE OWNED!
#my Email
:: Members::
HaCkeR Al-MaDiNaH~_~eVil CeLL
Is it a problem with my account, or a server problem. Is there anything I can do to prevent this problem? Mods please remove anything which is not as per TOS
View 14 Replies
ADVERTISEMENT
May 8, 2007
I normally hang out in the web design area, so it there is a related thread, please point me there.
I have been hosting a very small site with, what I thought, was a respectable local company. This morning I went to my home page and guess what - my friendly neighbourhood hacker paid me a visit. Gone (commented out) is my home page content, replaced with the following text:
I would like to report that your site is highly compromisable. Please review your hosts security settings. I would recommend changing though, they are a piece of ****.
(I have not deleted anything. the original page is commented out but is still located in this file.)
This security message has been brought to you by Scorpian & AV.
How do I deal with this? If I get no response from my current hosting company on how someone got hold of my ftp password, I want to move my site, but how do I know the next company has better security measures? And what should these security measures include? Any tick lists out there for testing domain host's security?
View 7 Replies
View Related
May 20, 2009
My cpanel is hacked. My server provide has given me the warning to resolve it in 24 hour or they will shut. I logged and removed text files from /tmp/
Now How should I find which domain was used for this?
I am running Cpanel 11 for Linux
10.1.1.10 - - [17/May/2009:19:32:42 +0000]"GET
/index3.php?f=../../../../../../../../../../../../../etc/passwd%00 HTTP/1.1"
403 501 "-""libwww-perl/5.810" (malwarecomplaints.info) "-"
10.1.1.10 - - [17/May/2009:19:32:42 +0000]"GET
/phpBB3/index.php?f=10/index3.php?f=../../../../../../../../../../../../../e
tc/passwd%00 HTTP/1.1" 403 507 "-""libwww-perl/5.810"
(malwarecomplaints.info) "-"
10.1.1.10 - - [17/May/2009:19:32:43 +0000]"GET
/index3.php?f=../../../../../../../../../../../../../etc/passwd%00 HTTP/1.1"
403 501 "-""libwww-perl/5.810" (malwarecomplaints.info) "-"
10.1.1.10 - - [17/May/2009:19:32:43 +0000]"GET
/phpBB3/index3.php?f=../../../../../../../../../../../../../etc/passwd%00
HTTP/1.1" 403 508 "-""libwww-perl/5.810" (malwarecomplaints.info) "-"
10.1.1.10 - - [17/May/2009:19:32:43 +0000]"GET
/phpBB3/index3.php?f=../../../../../../../../../../../../../etc/passwd%00
HTTP/1.1" 403 508 "-""libwww-perl/5.810" (malwarecomplaints.info) "-"
View 4 Replies
View Related
Jun 11, 2007
Last night i checked the bandwidth usage on one of my sites, only to find a different last IP in cPanel, the person who did this changed my index page to a page saying it had been hacked, and changed all my moderators/admins ranks to a guest, so that means he has accessed phpMyAdmin too,
Im wondering if anyone knows anything that will help avoid future hacks, and also where i go about getting his ISP to remove his internet connection for hacking, I have a confession from him in email about the hacking, i have banned his IP from cPanel but anyone could change their IP, and i cant exactly ban his entire country from the server
View 7 Replies
View Related
Apr 24, 2007
I got an email from our rather new VPS server (all headers seem to show it's really from our IP) where an account was created by root and deleted 30 minutes later?!
Is there a cpanel loophole?
What should we do next?
+===================================+
| New Account Info |
+===================================+
| Domain: z0ne-h.com
| Ip: 72.xxx.xxx.xxx (y)
| HasCgi: y
| UserName: vampire
| PassWord: 0123969469
| CpanelMod: x
| HomeRoot: /home
| Quota: 10000 Meg
| NameServer: ns1.xxxxxxxxx.net
| Contact Email: only.vampire@gmail.com
+===================================+
Account was setup by: root (root)
View 14 Replies
View Related
Mar 26, 2008
my server hacked and when I trying to login to cpanel and after enter username and password show the hacked page.
help me to change the cpanel page.
and what section I should check?
View 11 Replies
View Related
Oct 1, 2006
somewhere on my cpanel server a script has been able to be used by a spammer and im now getting tonnes of returned mails from aol etc. 1000's are coming in every hour.
I think i have found the culprit, but i can't be sure. how can i find out for sure which script this was? the email headers dont even show the user from what i can see!
View 6 Replies
View Related
Jan 24, 2008
I just signed up for a shared hosting plan that uses cpanel and got a simple page up and running with no problems. I need to know if there are any steps I need to take as far as security. I have read info about password protecting directories but I'm not sure if that needs to be done on directories that are already there like /etc /mail /accesslogs or just ones that I create like /myimages for example.
I don't have visitors yet and don't think I will for awhile but would still like to take all precautions early and get them out of the way.
View 4 Replies
View Related
May 10, 2007
How do I stop the common cpanel/whm "domain mismatch" security warning popup for good WITHOUT the need to install a server hostname certificate and access through that.
Is there a way to save the cert in the browser? I could not find that option and I am using Firefox 2.
View 1 Replies
View Related
May 8, 2007
I've noticed our cpanel still uses phpmyadmin 2.9.0.2 but there is a serious xss issue in versions up to 2.10.0
How can I install the new 2.10.1 around cpanel without it being overwritten?
[url]
View 3 Replies
View Related
Aug 30, 2007
Just have some questions regarding server settings and security
1) What will happen if
Open_basedir in php.ini is changed to
Open_basedir = /home:/tmp
?
2) What will happen if all hosted users in passwd file are set to /sbin/nologin ???
Dose it effect running the web site?
What are the effects if
Sync if set to /sbin/nologin default is /bin/sync
shutdown if set to /sbin/nologin default is /sbin/shutdown
halt if set to /sbin/nologin default is /sbin/halt
news if set to /sbin/nologin default is empty
netdump if set to /sbin/nologin default is /bin/bash
Mysql if set to /sbin/nologin default is /bin/bash
mailman if set to /sbin/nologin default is /bin/bash
cpanel if set to /sbin/nologin default is /bin/bash
3) How to make /bin/bash in passwd file is the default path for each new user added (automatically) in cpanel/whm server
4) What is the effect if base64_encode and base64_decode if been added in disable functions?
5) How to secure host.conf and nsswitch.conf to prevent DNS lookup poisoning and also provide protection against spoofs?
6) How to secure the system configuration file sysctl.conf to prevent the TCP/IP stack from syn-flood attacks?
7) What is ClamAV and how to disable it?
View 2 Replies
View Related
Apr 4, 2008
I run a web hosting company and one of my servers is a LAMP server running CentOs 5. A user of mine has a Joomla installation running to manage his website and he has run into the following problem that I am puzzled by.
When Joomla adds a component or module to itself, or when a user uses the Joomla upload functionality, Joomla will add the new files under the user name "apache". This makes sense as it is the apache service running PHP that is actually creating the files.
However, when he FTP's into the account to modify these files, he doesn't have the appropriate permissions to do so as he doesn't have a root level login, just permissions on his home directory which is the site. Any help would be much appreciated.
Also, does anyone know how to change the owner/group of a directory and all of its sub directories in Linux without changing the actual permissions? I.e. some of the files in the folder have different permissions (0644 as apposed to 0755) than its parent but if I do a top down user/group change on the folder it will change everything in that folder to 0755.
View 10 Replies
View Related
Dec 4, 2008
I just signed up for dedicated server at Softlayer with cPanel, mySQL and CentOS. I'm moving a site that is on a VPS with WHM. I know that cPanel has a transfer site feature.
I was considering hiring a service to migrate my site and to harden my server. Is this necessary or should I simply move it via cPanel? Things are tight and I don't want to incur an unnecessary cost if I don't have to. I defer to the members here at WHT for your recommendations.
View 3 Replies
View Related
Apr 22, 2008
I've been all over the Net trying to find a solution to the 'mismatched' certificate error when a user tries to access cPanel.
I'm on a VPS and have discovered that if I use [url]that FireFox (bless them) doesn't popup with a warning. It will if I use my Shared IP like [url]
IE7 on the other hand ( may the wrath of Khan be on its head) displays it's egregious Red Seal with a warning that Kafka would have a hard time outdoing.
So here's the question with an IE7 gotcha:
Do I purchase a WildCard cert for "hostname.com" so that when a user tries to access cPanel via my.hostname.com they won't get a warning from IE? I've been all over the M$ IE forum and I couldn't find anyone that has a workaround for a shared SSL. I'm concerned now, that even a WildCard cert won't fix the IE problem.
View 12 Replies
View Related
Apr 3, 2008
I am renting a 384mb Plesk VPS, have 1 client website on it, and it was hacked. Someone set up a new user with root access and was attacking other networks including dictionary attacks. My host has cleaned up the mess. I suspect access was gained thru a weak password choice or thru a Wordpress hack.
The client website ran a php/mysql survey script sometimes with 20-25 simultaneous users, and about 5-10% were unable to complete the survey due to screen freeze up or time outs. I'm trying to get to the bottom of these errors and know that some of the problems were client side but could the attacks also have affected connectivity & website performance?
View 2 Replies
View Related
Aug 5, 2009
2 days ago i noticed my cpanel hardisk usage was a lot more then it should be, after looking around i found out my inbox was 400mb (82143)emails!! i don't use any of the cpanel email because i have them set to forwarding. all the emails are spam and i discovered a few emails using my domain (that i did not create) that are valid and when i email them it reaches this cpanel inbox
So how bad is it? have i been completely comprised or is someone managed to get some type of spaming access only?
View 5 Replies
View Related
Feb 5, 2008
I have a server with about 100 domains on it in Plesk. I have about 10 or so clients that pay me a pittance to host their site and the rest are various domains that have been parked.
About a week ago we received a "too many connections" error when accessing Plesk. This is our server and it sits at The Planet (formerly EV1). I cranked up the mx connections to 1,100 or so following some web tutorial but I'm really a complete idiot when it comes to this server stuff. (I'm more of a php / html kind of guy).
I check out logs and it appears that someone has been trying to access a bunch of celebrity images that shouldn't exist on our server. It's clearly spam of some kind. I can't seem to actually find these images on my server anywhere, but I've got a feeling that foul play has been involved.
View 7 Replies
View Related
Feb 4, 2007
Well, this is rather weird. I cant tell if this is a server error, or a hack.
Basically the contents of the thumbnail directories for videos, games and pictures were deleted, at 3pm today (according to the ftp time stamp). All those folders were chmodded 777, to allow PHP to upload the images into them.
View 14 Replies
View Related
Jul 23, 2007
My cpanel server has an intruder who brought all the sites down. I did my best to harden the server a year or so ago, but...
I got an email from one of my scripts:
SUBJECT: [hackcheck] kill has a uid 0 account
IMPORTANT: Do not ignore this email.
This message is to inform you that the account kill has user id 0 (root privs).
This could mean that your system was compromised (OwN3D). To be safe you should verify that your system has not been compromised.
To say the least, the server was compromised. I cannot find the user "0" or "kill" in WHM, but under "Wheel Group Users" "kill" is listed under "Add a user to the wheel group."
Any help or insight would be appreciated! Anyone proficient at hardening servers and exorcising hackers?
I uploaded the latest chkrootkit and ran it. The results say it's clean.
View 14 Replies
View Related