How Can a cPanel Account be Hacked?
1. Hacking through Password Recovery
Hacking a cPanel account can be the result of a hacked site, and the opposite is also true. There have been cases of hacking through password recovery systems.
By exploiting a vulnerability or using compromised access, a hacker replaces the email address in the file ~/.contactemail with his own. Thus, the attacker becomes entrenched in the system. In the future, a hacker can at any given time reset the password from the account and gain access to the cPanel account. This is possible if the option “Reset Password for cPanel accounts'' is enabled on the server.
Scanning or changing credentials will not help, so if you suspect that you have been hacked - check that the mail is legit.
Also, as a Indicator of Compromise, there can be a request from 127.0.0.1 in the log file /logs/access_log (user-agent may be different)
There should not be legitimate requests to the cPanel for this URL from 127.0.0.1. If you see this request in the logs, then it was evidently initiated by automated hacking tools.
To prevent this we have disabled the option 'Allow cPanel users to reset their password via email' and save the settings. This will not let the users reset their passwords via the 'you can reset your password by entering your username' link.
Most often, after hacking a cPanel account, attackers create mailboxes for sending spam, upload doorway pages on the server, or create subdomains for phishing.
Our Proactive Defence will prevent a malicious actor from successfully completing an attack. And in case the credentials were still compromised, we scan and clean up malicious files that can be uploaded using enhanced malware scanner.
2. Brute-Force Attack
Since a password recovery hack is already a consequence of the original hack, one way of such hacking could be a brute-force attack. A brute-force attack consists of an attacker submitting many passwords with the hope of eventually guessing correctly. One of the most effective ways to protect from it is to use strong passwords, But, unfortunately, strong passwords alone can not be enough. In this case, our WAF has protection against such attacks, monitors authorization attempts, and, in case of abuse, blocks the attacker.
How to Secure cPanel Account if You Have Been Hacked?
If you discover hacked account, you must change credentials and also scan files for malicious code, as well as check databases. Attackers could also create new accounts for the CMS in an effort to later upload malicious code through them.
We have compiled this to-do list of what needs to be done after hacking:
- Change your cPanel account password. Be sure to use a strong password with a mix of letters (upper and lower case), numbers, and symbols, no ties to your personal information, and no dictionary words.
- Also, change passwords from MySQL and FTP accounts.
- Check files ~/.contactemail and ~/.cpanel/contactinfo for correct email.
- Check cron jobs for malicious injects.
- Check fraudulent users in CMS (in the case of WordPress, this is a table wp_users). Using these accounts, the hacker can continue to upload malicious code to the server.
- Scan and cleanup files and DB for malicious code.