| Posted by latitudehopper, 03-04-2014, 02:25 PM | | I am with a new reseller however I have worries about a recent series of hacks. I have very strong cPanel passwords but recently my accounts are getting accessed and folders/redirects set up to facilitate phishing scams. Some of the folder are
www.paypal-service-login
login-account-verify
Has anyone seen this before. The reseller doesn't seem to know and is saying to reset passwords. I can do that but this has happened before and I reset to a password with a very strong degree of security.
Help?! I feel like I am under attack and have no idea how to solve this.
|
| Posted by latitudehopper, 03-04-2014, 02:31 PM | | I should add that I had thought it was a Wordpress security hole but this is adding subdomains and email accounts in cPanel.
|
| Posted by helix247, 03-04-2014, 02:44 PM | | Have you opened a support request with your provider?
|
| Posted by latitudehopper, 03-04-2014, 02:54 PM | | I have. They cannot offer me an explanation nor a solution.
|
| Posted by HostWithLove_Cody, 03-04-2014, 03:32 PM | | Perhaps the server isn't Symlink-protected? Might want to request them to contact their main provider regarding this.
|
| Posted by latitudehopper, 03-04-2014, 03:40 PM | | How are they setting up email accounts and sub domains?
|
| Posted by DWS2006, 03-04-2014, 03:46 PM | | I'd assume one of three things is happening:
1). A PC/MAC system you've used to connect to your WHM accounts is compromised. This would easily allow outsiders to make changes within your account.
2). A PC/MAC system your provider has used to connect to their WHM accounts is compromised. This would easily allow outsiders to make changes within your account.
3). The server is compromised at the root level.
|
| Posted by ServerSam, 03-04-2014, 04:24 PM | | Run a malware scan and virus scan on your PC...
|
| Posted by latitudehopper, 03-05-2014, 07:01 AM | | I have run a malware scan on the one machine used to access cPanel with nothing found. I have changed the passwords yet again and will be monitoring the situation. I am still worried about the lack of support I am getting from my current provider.
|
| Posted by Johnny Cache, 03-05-2014, 08:17 AM | | Changing the cPanel password over and over is doing nothing more than taking up your time, unfortunately. The URL is a patently obvious phishing domain. Just about every cPanel TSR I've read in the last year (ish) have identified multiple vulnerabilities, including root compromises, as the result of flaws in the reseller area of WHM. I can't even think of them all. What type of malware scan did you perform and from where? Most require root access in order to kick them off.
I wouldn't dismiss WordPress as the culprit just yet. Could just as easily be a malicious redirect from a shady plugin. WPPPM comes to mind.
Finally, this issue alone would make me race to the cancellation form. If this whole issue came out of nowhere within days of moving to a new host, your answer is staring right back at you. Obviously this is not normal behavior, meaning that every day without taking action is another day you're risking your data. I don't know which provider you do business with but if they can't even isolate abuse then they have no business running a server in the first place. Listen to your instinct and run. RUN while you still have some data to cancel with.
|
| Posted by latitudehopper, 03-05-2014, 08:21 AM | | Yes. As far as I am aware, this started after moving to the new reseller. A new development is that a password for one account in WHM has been changed and the default contact email address too. My issue is I have struggled to find a reseller without issues... the search will need to recommence I feel. Thank you for your considered input on this.
|
| Posted by latitudehopper, 03-05-2014, 08:56 AM | | An update. All they are saying now is to update ALL wordpress installs. The problem I have here is that if I start updating all my client's WordPress installs then this may break their sites, some of which I just host. I would rather know how a security vulnerability could lead to details in WHM being changed otherwise I am committed to updating for ever. The point of signing up to reseller hosting was not to have to manage my server, which this is my proxy. Sorry for the on-going dialogue, I am hoping it is useful to someone once this is resolved.
|
| Posted by bruc, 03-05-2014, 12:26 PM | | We get that link in spam emails often.
|
| Posted by CBSBI, 03-05-2014, 01:05 PM | | Do you have a smartphone that you use to access data/email/websites? After weeks of running around, it ended up a client using a rooted Android device that was the cause of the spam.
|
| Posted by DWS2006, 03-05-2014, 01:13 PM | | While WordPress can be a security concern, a breach there shouldn't result in a password/email change within cPanel (assuming no common passwords are used). Sounds like it's time to find a new home for your accounts.
|
| Posted by latitudehopper, 03-06-2014, 07:48 AM | | Christ! Another account has been hacked, they were emailed to say that their password was changed and now the provider has suspended their account for Phishing. I need out ASAP but to where?!
|
| Posted by latitudehopper, 03-06-2014, 07:58 AM | | Has anyone any experience with A2? They seem to talk about continuous and proactive security which is what is lacking here.
|
| Posted by DWS2006, 03-06-2014, 09:32 AM | | What email did they receive regarding the password change? Specifically, where was it sent from?
Are you using a billing system (WHMcs, ClientExec, etc.)?
|
| Posted by latitudehopper, 03-06-2014, 09:37 AM | | I have just had them send it to me and it was an attempt to reset their Wordpress password. Either way, I am outta here! (as soon as I can find a new home). No, I am not using a billing system.
|
| Posted by DWS2006, 03-06-2014, 09:42 AM | | Ok, I thought you were referring to a cPanel password change and an email announcing that. cPanel doesn't send emails when passwords are changed via WHM or cPanel, but billing systems often do. Good to hear that a billing system is not the point of entry.
Good luck with your hosting search and migration.
|
|
 Add to Favourites
 Print this Article
|
