Results 1 to 9 of 9
  1. #1

    My Cpanel accounts hacked

    My CPanel/WHM account(two) have been hacked using some Cpanel vulnerability ... I think. To reduce risk of attack I'm maintaining Joomla sites in different account. In one account home directory a dasher.php was placed. While in other LICESNE.php was placed.

    The attack has come from IP : (may be

    You can see that an infection dasher.php was uploaded. (pl. search dasher.php in this file)

    I've changed the login name, my server IP etc in this log file

    Can someone help me what these access_log lines refer to? How come the attacker came to know about my two login names?

    What is the meaning of this line: - - [10/26/2013:16:10:16 -0000] "GET /cpsess8929756881/login/?session=first-login:0fQ2fFlhwKcJBc1yWUDzI2nu0Oe69OOVNEU0ZLxU1nq2ApjxMgyrMOOEXz8RfNBd,90c940803c0b94e7540021bd26362b836c5b991b3fd5c7f3bd482f1e497e71fa HTTP/1.1" 301 0 "" "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0" "-"
    Attached Files Attached Files

  2. #2
    Join Date
    Aug 2011
    I have a feeling it might have been via an exploit in Joomla or some other script you are running (a plugin for Joomla maybe?).

    (1)"GET /cpsess8929756881/login/?session=first-login:0fQ2fFlhwKcJBc1yWUDzI2nu0Oe69OOVNEU0ZLxU1nq2ApjxMgyrMOOEXz8RfNBd,90c940803c0b94e7540021bd26362b836c5b991b3fd5c7f3bd482f1e497e71fa
    (2) HTTP/1.1" 301 0 "" "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0" "-"
    1. The first one, looks like is a login request.
    2. listaccts refers to the cpanel api, which will list all the accounts on cpanel.
    (can I could be wrong here)

    Are you using the most up to date version of Joomla and any related plugins etc?
    "Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning." - Albert Einstein

  3. #3
    One account is hosting Joomla while the other Drupal, Mybb, Phpbb. Due to security measures the infection did not run and I was notified. Since the malicious code were placed directly in the home dir of two accounts I suspect it could be using some Cpanel vulnerability.

    But how come my two account names were leaked!

  4. #4
    Can anybody help me with this url which contains infection named dasher.php: - first-login [10/26/2013:16:10:38 -0000] "GET /cpsess8929756881/frontend/x3/filemanager/live_statfiles.xml?files=%2fhome%2ffirst-login%2fpublic_html%2fdasher.php HTTP/1.1" 200 0 "" "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0" "-"
    first-login is my cpanel account name.

  5. #5
    Proper mod_security rules can help you deal with these exploits.

  6. #6
    trace the time stamps on any out of place/malicious files (dasher.php). see if you can match them up in log files (ftp, access, cpanel, etc). you'll typically find more files. if you're lucky and your logs haven't rotated then you may just find the vulnerability.

    there is always the possibility of the accounts being compromised outside of the server. run a virus scan and double check yourself with another type of scan like malwarebytes or combofix. this assuming you aren't utilizing passwords that someone could crack with your average dictionary attack.

  7. #7
    Join Date
    Oct 2013
    sad to hear that, Is it a security hole or some thing you did or did not do?

  8. #8
    Join Date
    Feb 2006
    Kepler 62f
    Did anything get into cPanel, or just domains?
    || Need a good host?
    || See my Suggested Hosts List || Editorial: EIG/Site5/Arvixe/Hostgator Alternatives

  9. #9
    Quote Originally Posted by rag_gupta View Post
    Can anybody help me with this url which contains infection named dasher.php:

    first-login is my cpanel account name.
    I believe someone directly logged in to your cPanel and uploaded the file using cPanel file manager. It looks like your cPanel password is compromised. I also suggest you to check your email account which you are using with your host. If your primary email account is compromised, they may get the login details from your archive emails.
    || Web Hosting Blog - Web Hosting security & latest web hosting industry Announcements
    || Web Hosting Discussion - A Web Hosting community

Similar Threads

  1. ebay,paypal, and email accounts were HACKED! My story
    By distressedguy in forum Ecommerce Hosting & Discussion
    Replies: 9
    Last Post: 05-20-2012, 02:47 PM
  2. Join 100's of happy clients - ZERO hacked accounts - only for $4.99
    By tuxadmin in forum Shared Hosting Offers
    Replies: 0
    Last Post: 11-17-2009, 02:19 PM
  3. Accounts hacked at DNS EXIT registrar
    By hostechsupport in forum Domain Names
    Replies: 0
    Last Post: 08-09-2007, 12:34 PM
  4. accounts hacked, how to find hacker?
    By yemoller in forum Hosting Security and Technology
    Replies: 15
    Last Post: 07-06-2005, 02:10 PM
  5. [uselib24] uses 97.9% of CPU + some accounts indexs have been hacked
    By making in forum Hosting Security and Technology
    Replies: 9
    Last Post: 05-29-2005, 03:46 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts