Imunify360 Blog

cPanel hacks: How to protect your cPanel account

Written by Vitalii Rudnykh | Jan 16, 2024 1:00:00 PM

cPanel is the most secure hosting panel on the market, but without proper safety measures and settings, it can be vulnerable to attacks. The article goes over the following important questions:

  1. How Does cPanel Hack Look for Clients?
  2. How Can a cPanel Account be Hacked?
    1. Hacking through Password Recovery
    2. Brute-Force Attack
    3. API Tokens
  3. How to Secure WHMCS/cPanel Accounts if You Have Been Hacked?
  4. Conclusion: Forget about cPanel Hacks with Imunify360 
  5. Recommended Articles

 

How Does cPanel Hack Look for Clients?

A cPanel hack may result in client domains or the IP address of the server itself being blacklisted, for example, in the case of spam mailings or other malicious activity. Due to possible sanctions from search engines onto hacked domains, a business may experience significant monetary and reputational losses. The process of excluding a site from blacklisting can take a long time. The best solution is to think about security ahead of time, before a cPanel hack occurs.

 

How Can a cPanel Account be Hacked?

Hacking through Password Recovery

The information regarding password reset using the .contactemail file
is outdated. In CPanel version 106, contact emails have been moved to
/var/cpanel/users/$USER and can now only be edited by the account
administrator.

Hacking a cPanel account can be the result of a hacked site, and the opposite is also true. In our practice, there have been cases of hacking through password recovery systems.

By exploiting a vulnerability or using compromised access, a hacker replaces the email address in the file ~/.contactemail with his own. Thus, the attacker becomes entrenched in the system. In the future, a hacker can at any given time reset the password from the account and gain access to the cPanel account. This is possible if the option “Reset Password for cPanel accounts'' is enabled on the server.

Scanning or changing credentials will not help, so if you suspect that you have been hacked - check that the mail is legit.

Also, as a Indicator of Compromise, there can be a request from 127.0.0.1 in the log file /usr/local/cpanel/logs/access_log (user-agent may be different)

There should not be legitimate requests to the cPanel for this URL from 127.0.0.1. If you see this request in the logs, then it was evidently initiated by automated hacking tools.

If you want to disable the password recovery functionality, you can do this by going to WHM >> Tweak settings. Uncheck the option 'Allow cPanel users to reset their password via email' and save the settings. This will not let the users reset their passwords via the 'you can reset your password by entering your username' link.

 

Most often, after hacking a cPanel account, attackers create mailboxes for sending spam, upload doorway pages on the server, or create subdomains for phishing.

Imunify360 effectively protects against such attacks. Our WAF and Proactive Defence will prevent a malicious actor from successfully completing an attack. And in case the credentials were still compromised, our new feature cPanel File Upload Scanner - in real-time scans and cleans up malicious files that can be uploaded using cPanel. Using cPanel hooks Imunify360 blocks malicious actions made in cPanel File Manager. Each time when a potential attacker uploads files Imunify360 will initiate a scan before the file will be saved to the actual location.

 

Brute-Force Attack

Since a password recovery hack is already a consequence of the original hack, one way of such hacking could be a brute-force attack. A brute-force attack consists of an attacker submitting many passwords with the hope of eventually guessing correctly. One of the most effective ways to protect from it is to use strong passwords, But, unfortunately, strong passwords alone can not be enough. In this case, you may need an additional solution against brute force attacks. Imunify360 has protection against such attacks, monitors authorization attempts, and, in case of abuse, blocks the attacker. 

 

API Tokens

In case of root compromise of the server, attackers can create a backdoor in API tokens. If you suspect that your server has been hacked, check “Development” → “Manage API Tokens'' for illegal tokens. Hackers issue tokens with root privileges and then use them to log in and create a session in cPanel.

 

How to Secure WHMCS/cPanel Accounts if You Have Been Hacked?

If you discover hacked accounts, you must change credentials on this account and also scan files for malicious code, as well as check databases. Attackers could also create new accounts for the CMS in an effort to later upload malicious code through them. 

We have compiled this to-do list of what needs to be done after hacking:

  • Change your cPanel account password. Be sure to use a strong password with a mix of letters (upper and lower case), numbers, and symbols, no ties to your personal information, and no dictionary words.
  • Also, change passwords from MySQL and FTP/SSH accounts.
  • Check files ~/.contactemail and ~/.cpanel/contactinfo for correct email.
  • Check cron jobs for malicious injects.
  • Check fraudulent users in CMS (in the case of WordPress, this is a table wp_users). Using these accounts, the hacker can continue to upload malicious code to the server.
  • Scan and cleanup files and DB for malicious code. You can scan the database using our solution MDS (Malware Database Scanner).
    To improve the security of cPanel accounts, we’ve created a comprehensive guide - 17 Ways to Improve cPanel Security. In this guide, we provide a detailed explanation of what to do step by step. 

 

Conclusion: Forget about cPanel Hacks with Imunify360 

With the new feature cPanel Upload Scanner, Imunify360 is now in control of file uploads on cPanel. It allows to block malicious file uploads via cPanel File Manager as well as prevents content modification leading to malware injections. Along with that, Imunify360 goes beyond antivirus and WAF and is a combination of an Intrusion Prevention and Detection system, a Application Specific Web Application Firewall, Real-time Antivirus protection, a Network Firewall, and Patch Management components in one security suite. Imunify360 is a fully-automated solution and it collects all statistics under an intuitive dashboard. 

Imunify360 keeps your servers safe and running and you could forget about cPanel hacks. Try Imunify360 free for 14 days and see results in just one week.

 

Recommended Articles