cPanel is the most secure hosting panel on the market, but without proper safety measures and settings, it can be vulnerable to attacks. The article goes over the following important questions:
A cPanel hack may result in client domains or the IP address of the server itself being blacklisted, for example, in the case of spam mailings or other malicious activity. Due to possible sanctions from search engines onto hacked domains, a business may experience significant monetary and reputational losses. The process of excluding a site from blacklisting can take a long time. The best solution is to think about security ahead of time, before a cPanel hack occurs.
The information regarding password reset using the .contactemail file
is outdated. In CPanel version 106, contact emails have been moved to
/var/cpanel/users/$USER and can now only be edited by the account
administrator.
Hacking a cPanel account can be the result of a hacked site, and the opposite is also true. In our practice, there have been cases of hacking through password recovery systems.
By exploiting a vulnerability or using compromised access, a hacker replaces the email address in the file ~/.contactemail with his own. Thus, the attacker becomes entrenched in the system. In the future, a hacker can at any given time reset the password from the account and gain access to the cPanel account. This is possible if the option “Reset Password for cPanel accounts'' is enabled on the server.
Scanning or changing credentials will not help, so if you suspect that you have been hacked - check that the mail is legit.
Also, as a Indicator of Compromise, there can be a request from 127.0.0.1 in the log file /usr/local/cpanel/logs/access_log (user-agent may be different)
There should not be legitimate requests to the cPanel for this URL from 127.0.0.1. If you see this request in the logs, then it was evidently initiated by automated hacking tools.
If you want to disable the password recovery functionality, you can do this by going to WHM >> Tweak settings. Uncheck the option 'Allow cPanel users to reset their password via email' and save the settings. This will not let the users reset their passwords via the 'you can reset your password by entering your username' link.
Most often, after hacking a cPanel account, attackers create mailboxes for sending spam, upload doorway pages on the server, or create subdomains for phishing.
Imunify360 effectively protects against such attacks. Our WAF and Proactive Defence will prevent a malicious actor from successfully completing an attack. And in case the credentials were still compromised, our new feature cPanel File Upload Scanner - in real-time scans and cleans up malicious files that can be uploaded using cPanel. Using cPanel hooks Imunify360 blocks malicious actions made in cPanel File Manager. Each time when a potential attacker uploads files Imunify360 will initiate a scan before the file will be saved to the actual location.
Since a password recovery hack is already a consequence of the original hack, one way of such hacking could be a brute-force attack. A brute-force attack consists of an attacker submitting many passwords with the hope of eventually guessing correctly. One of the most effective ways to protect from it is to use strong passwords, But, unfortunately, strong passwords alone can not be enough. In this case, you may need an additional solution against brute force attacks. Imunify360 has protection against such attacks, monitors authorization attempts, and, in case of abuse, blocks the attacker.
In case of root compromise of the server, attackers can create a backdoor in API tokens. If you suspect that your server has been hacked, check “Development” → “Manage API Tokens'' for illegal tokens. Hackers issue tokens with root privileges and then use them to log in and create a session in cPanel.
If you discover hacked accounts, you must change credentials on this account and also scan files for malicious code, as well as check databases. Attackers could also create new accounts for the CMS in an effort to later upload malicious code through them.
We have compiled this to-do list of what needs to be done after hacking:
Imunify360 keeps your servers safe and running and you could forget about cPanel hacks. Try Imunify360 free for 14 days and see results in just one week.