3

My webhost notified me they got a complaint from bank of america that one of my accounts under my reseller (WHM) account was compromised by a phisher. Once the host unsuspended my account I tried to find out how the account was compromised but cannot figure it out.

  • My account didn't have any scripts running, just static .html files.
  • All passwords are quite strong - 8 characters auto generated with lower case, upper case, numbers and special characters mixed.
  • Client computer is wired to router and has up to date anti-virus, anti-spyware, firewall and hasn't been infected ever before.
  • SFTP is not supportted by webhost with shared SSL certificate therefore uploads are done with filezilla as normal

I'm assuming that if the phisher somehow captured passwords then they would have done more damage, so my current line of thinking is some sort of vulnerability in cpanel/.htaccess etc?

The phisher made a subdomain and folder with a fake site which captured banking details and emailed it to themselves.

My question is this, how did the phisher compromise the account to upload his files? (or what possible weaknesses could he exploit)

Improve this question
4
  • 2
    When you say 'FileZilla as normal' - do you mean FTP with plain text passwords? Commented Jul 4, 2011 at 17:21
  • 2
    A place to start is who owns the files in the sub domain? The owner being the account used to create them might help discover the vulnerability, i.e. if they are owned by apache then your apache service was most likely compromised. Commented Jul 4, 2011 at 17:22
  • Yes. As I mentioned already I am physically wired to router (not on WiFi). Also I would use SFTP if I could. Commented Jul 4, 2011 at 17:23
  • This is a very old question, but in case anyone stumbles across it: 8-character passwords are absolutely not "quite strong." These days, an 8-character password should be considered weak, even if auto-generated. Commented Apr 24, 2015 at 15:21

1 Answer 1

Reset to default
2

If you are on a stock cpanel system there are three or four possible vectors I would check and try to rule out:

1) The hacker has your ftp password and used that to upload the modified files. If this happened your host should have logs to show this and the remote IP address used to do that. If your host can't show you that, I would find a new host.

2) Did they modify your site via a different interface (SCP, WebDAV)? Again your host should be able to show you some logs.

3) Are there any scripts that allowed file access? Your host should be able to point to logs showing this.

4) There are a few privilege escalation or cross reseller account attacks in cPanel. Symlinks can be followed, WebDAV bugs, and other attacks may have allowed the hacker to exploit another account and then upload content to your site.

In all of these cases your host should be walking you through this.

Improve this answer
1
  • It seems my host doesn't do a good job with retaining logs and have struggled to get much information out of them. After they blamed me saying the files were uploaded via FTP, I pointed out that the available logs didn't show this. They admitted their mistake after weeks of emails and then said the phisher site was created via cpanel from an Egyptian IP address. Their logs are deleted on weekly rotation, so I've come up against a brick wall now. I am thinking it was a session hijack - but can't proove anything and will never know. Commented Aug 2, 2011 at 13:39

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.