cPanel server got hacked: All php files deleted

Portal Home > Knowledgebase > Articles Database > cPanel server got hacked: All php files deleted

Posted by kikloo, 11-17-2014, 02:59 AM
Hi, Today my cpanel server got hacked and all php files from almost all the accounts were deleted. I had instaleld CloudLinux, CXS, CSF, modSecurity etc. but nothing prevented the hack. The hacker injected some code over all the php files and then they got deleted. I fail to understand if an account is hacked, then the hacker should be limited to that account and should not be able to spread the attack to other accounts. Whats the point of install all these softwares which do nothing really ? CageFS is suppose to limit the access but it did'nt and it was enabled for all the accounts. CXS is now sending me 100's of emails after the attack, not before. I really don't know what is going on. I managed to extract the hacker's code from one of the php files. I don't understand how hacker managed to get the hack injected into all the php files into almost all the accounts. CXS detect's them now but did nothing to stop etc. Cagefs let it spread from account to account. CloudLinux is hoax i guess. cpanel security advisor shows everything is fine CSF basic check shows everything is fine mod secuirty shows some injections but i guess i did'nt stop it. Here's the code: <> Tried to run it in xampp but nothing outputs. Thanks. Last edited by anon-e-mouse; 11-17-2014 at 03:45 AM.
Posted by netgremlin, 11-17-2014, 03:21 AM
Hi, Was this on WordPress sites?
Posted by TheSHosting, 11-17-2014, 03:27 AM
Have you scanned the accounts ? Download and install maldet. Then scan the accounts : maldet -a /home Last edited by TheSHosting; 11-17-2014 at 03:32 AM.
Posted by Atlanical-Mike, 11-17-2014, 03:32 AM
I bet it's the software... and CloudLinux etc doesn't protect software...
Posted by XViD, 11-17-2014, 03:41 AM
Check if your WHM is compromised.
Posted by net, 11-17-2014, 04:26 AM
Moved > Hosting Security and Technology.
Posted by kikloo, 11-17-2014, 04:38 AM
Hi, @netgremlin: Yes mostly WP but some others also were there. @linuxadminx: I am doing this now. @Licensecart-Mike: What CL does then ? I thought CageFS used to cage the accounts so that damage was limited to teh infected account only. @XViD: How ? Thanks.
Posted by idnx, 11-17-2014, 04:52 AM
Do you have account with reseller access? Do you ever move or restore account with reseller access from another server? In some case, an attacker pretend buy reseller account and ask to move there account from another server. And may be that account has root access on it privileges. And from that way they can access your server entirely.
Posted by kikloo, 11-17-2014, 05:25 AM
Hi, I have reseller accounts but i don't move / transfer. Thanks.
Posted by madaboutlinux, 11-17-2014, 05:40 AM
Did the php file you found was inside an account OR in a server side directory? Was it owned by an account user or root? It is possible that the server is cracked at the root level and malicious files were executed from a server side directory to inject code / delete php files from all the accounts.
Posted by Atlanical-Mike, 11-17-2014, 05:50 AM
CloudLinux makes it so the user can't see out and locks them in, however if your script is attacked and your sever isn't secure then things can escape and bypassing everything and probably attack the same script / etc. It just can't change Settings, etc. CloudLinux also make sure abuse doesn't effect other users. But again CloudLinux isn't Server Security and doesn't patch updates, their other brand patches. But it's not going to stop Malware. I could be wrong but you can't assume your safe because you have CloudLinux. That's like keeping your door open but closed. It looks like it's locked and safe but one push will open it to the world. Well one client of ours had Wordpress and it was targeted and effected other files on the account, what's to say if the malware was powerful and targeted others. Thankfully it was trying to get hits for the malware site.
Posted by kikloo, 11-17-2014, 06:10 AM
Hi, It was quarantined by CXS. All php files were kind of quarantined. I use seeksadmin as my server management and they told me that server was not hacked but CXS was configured to quarantine all files and it has done that. I don't really buy that, but i don't know what to do. Thanks.
Posted by TheSHosting, 11-17-2014, 06:27 AM
csx --qrestore [file] Restore quarantine [file] to original location
Posted by kikloo, 11-17-2014, 06:28 AM
I have backups and i am only doing a file restore and its working fine. N backups or any other file type was compromised. Only php files were compromised. Just don't know how to check, what had happened. Thanks.
Posted by Atlanical-Mike, 11-17-2014, 06:44 AM
If you believe they are wrong, move to another server management company. You need to believe and trust the guys you rely on every day for security.
Posted by TheSHosting, 11-17-2014, 06:45 AM
Check whether anyone accessed WHM. Check WHM access_log, ssh logs. grep -i accepted /var/log/secure Using find command check all recently modified files by hacker. Run rkhunter, chkrootkit, maldet scan Make Sure No Non-Root Accounts Have UID Set To 0 awk -F: '($3 == "0") {print}' /etc/passwd Have you recently installed any software on server ? It might be infected. Make sure PC from which you are accessing the server is clean. Change root password.
Posted by Mad_matt, 11-17-2014, 06:45 AM
thats freaky. With the precautions you had in place, it really makes you wonder how something still penetrated all of that. I am really keen to know what additional precautions you will (or can be) put in place.
Posted by madaboutlinux, 11-17-2014, 07:04 AM
If the php file you found is still present and is left untouched, it may still be possible to check what caused this problem. I would stop restoring the files and get my server checked thoroughly because restoring won't fix the issue and the problem will re-occur.

Add to Favourites Print this Article

Knowledgebase

cPanel server got hacked: All php files deleted

Our Services

Client Menu

Legal