How to fix a compromised cPanel account, a user account
cPanel servers are prone to hackers. Usually cPanel servers will have a diverse amount of people on them using all types of software. From WordPress to WHMCS it’s the end user’s responsibility to make sure their software they are running is always up-to date and running the latest security patches. The main types of compromise we define are;
- Site Compromise
- Root Compromise
We will cover both of these issues in separate posts and how to fix the problem so it does not return.
A website that is compromised is usually running old software which the end user has not updated, for example an old version of WordPress. When updates are released for CMS sites the security flaws are also published which means users can target specific areas of your website looking for a way to gain access to your files. If a malicious user does gain access to your files, its likely they will upload files like a PHP mailer and will send out thousands of spam emails, this will cause your mail queue to fill up and, if left your server will fail eventually due to the size of the mail queue and the cpu power it takes to process the queue. If we setup your server, we set a limit of between 50 and 100 emails per hours to be sent so this should stop your ips from becoming blacklisted due to the spam but you should check your ips for any blacklists and remove as appropriate.
How to fix a site compromise
Just removing the files will not resolve the situation, you will find the files will just reappear because the malicious user has access to the account. Changing the password will also not work. To fix the problem you will need to do the below points in order.
- Identify the cPanel user which has had malicious files uploaded to their account
- Remove the malicious files in question
- Update all software on this users account. WordPress, Joomla, everything should be fully updated
- Ensure the files have not been put back in the account while you were updating the software on the site
- Change the password on the users account
- Change all email address passwords
- Change all FTP account passwords
As a matter, of course you should ensure users change their account passwords. This increases security for everyone on the server and you should also set a default password strength for all users by navigating to Home » Security Centre » Password Strength Configuration
Once you have done that you could also force everyone on the server to modify their passwords to make sure they meet your new default password strength requirements by navigating to Home » Account Functions » Force Password Change
How Was this Article ?