Hacked cPanel Websites

[bill]

Hi, AITpro.

I’ve been an avid and long time supporter of you/AIT Pro for several years… and that will never change. I just had a question to pose because I just found out that 14 of my clients’ websites (hosted with GoDaddy via cPanel) were hacked sometime today. To me, it appears that they gained entry via cPanel somehow, because only the sites on this account were effected, all of the backups were deleted and all of the folders in the File Manager were emptied.

It is important to also note that I have a seperate “legacy” hosting account– all of which (20 or so) are fine.

I am the only one with administrative access to both hosting accounts, so passwords, etc. aren’t shared. And, for this reason, I was convinced that a recent server upgrade (three days ago) had something to do with the breach because I had cPanel for a couple years prior without incident. In speaking with support,  they suggested the hacker obtained access via WordPress which I immediately shot down as an impossibility (because of BPS Pro).

At present, after paying $150 for GD to restore the most recent backup of my sites, I’m forwarding all of the domains to my company site to prevent visitors from seeing the hacker’s page. They were also successful in upselling me on their server/database security product solely due to my fear at this hour. That said, my question is: Based upon the description, do you believe the hacker got into cPanel (utilizing login credentials obtained somehow) or ea. individual site (even with BPS Pro active across all sites)? More importantly than finding out what happened, my primary focus is to make sure it doesn’t happen again… which is the reason for this post.

Important: I am not accusing or questioning your product… not one bit. My very first website was hacked in 2011 and that’s when I found your product. I was new to everythign then… and without you and BPS Pro, I would’ve been lost. I’ve thanked you many times over, over the years and I still do today… thanks for reading.

[AITpro Admin]

Very sorry to hear that.  It does sound like the hosting account password was somehow stolen/compromised since all backups and folders/files were deleted, which is unusual.  Since everything was wiped it would be very hard or probably impossible to figure out exactly how this hosting account was compromised.  BPS Pro does not work at the Server/cPanel level and only works at the website/HTTP level.  So assuming that the hack was done by compromising that hosting account then the sites should be safe on your other hosting account.

[bill]

Update: Thanks for the time and response. Virus scans were ran on ea. site and outside of several “deleteme.php” files – which may not be anything – these three files were found in ea. set of files:

CLEARED: Cleared malware from file: ./wp-content/bps-backup/autorestore/wp-content/plugins/bulletproof-security/admin/login/lsm-help-text.php Details: rex.defaced.generic.009

CLEARED: Cleared malware from file: ./wp-content/plugins/bulletproof-security/admin/login/lsm-help-text.php Details: rex.defaced.generic.009

CLEARED: Cleared malware from file: ./xml_rpc.class.php Details: php.backdoor.filesman.093

Not sure if this helps or makes sense.

[AITpro Admin]

I would be glad to look at the original files that malware was detected in if you still have them.  If you do not have the original uncleaned files then unfortunately there is not much I can do.  ie check the code to see if this was a false positive or if the scanner actually did find malicious code in those files.  So if you do have the original files then you can send them to me:  info at ait-pro dot com.

[bill]

I actually deleted them out of fear that they may be “live.” Perhaps, my ignorance is showing. I did have a question: Is it possible blocked countries (all but the U.S.) from accessing a website?

[AITpro Admin]

The US is actually ranked #2 for the highest number of cyber criminals/hackers.  China is #1.  Anyway that is the wrong approach to take because adding the htaccess code to do that would cripple your website performance.  So blocking by countries is not effective at all.

[bill]

The reason why I asked is because my sites were redirecting to what I thought was a Russian website. But, after noticing a huge viewership spike per website today, I pulled up the analytics per site and Turkey was responsible for over 90% of the views per site, so I’m presuming the language was Turkish. I lost several sites but the ones I have are under attack….when I look at the Security Log, hundreds of attempts have been blocked by BPS since this morning.

[AITpro Admin]

Yep, I understand, but that still does change the fact that blocking by country is ineffective.

[bill]

Ok. Only a fool would argue with a genius, so I don’t have a witty comeback/rebuttal. But, I do have one last question: I’ve changed my cPanel admin password (3xs), I’m running malware scans on all sites every 12hrs, I changed the DB passwords and I’ve backed up the remaining sites in a separate location. Is there anything else you’d recommend?

[AITpro Admin]

Nope, I do not have anything else to recommend.  What you are doing is perfect – keeping a close on eye on things for a while until you know for sure the hack is not going to return.  After a week or so you can be very confident that everything is ok.  Typically if there was a left over hacker file somewhere the sites would be reinfected almost immediately or maybe after a day or two.

[bill]

Ok. As always, thanks for the insight and reassurance. Continued Success.

[bill]

Update: Hi, AITpro. I wanted to briefly follow-up to share that we were able to get things back on track with the core sites we were able to salvage and sanitize. I did have a question re: site behavior since. Certain sites have been getting a consistent flow of daily traffic from Turkey since the breach. According to stats, dozens of people from Turkey visit certain otherwise “calm” sites daily and I wanted to get your take on it. Do you believe they’re a. still trying to crack the sites a week later or b. Are they hotlinking somehow (assuming that’s how that works– not too familiar with the specifics there)? Please advise when your schedule permits and thanks.

[AITpro Admin]

A logical guess is that they may be trying to use the previous exploit or maybe trying to hack the site again.  Hotlinking would not be relevant to anything so nope they would not be Hotlinking.  I think what you mean is could there be any leftover Outbound links from your website to a hacker or spammer website.  You can install the Broken Link Checker plugin to check all Outbound links on your website.

[bill]

Ok, thank you.

[Author]

Posts