my server hacked

Portal Home > Knowledgebase > Articles Database > my server hacked

Posted by webhostbeginner, 03-26-2008, 02:27 PM
Hello, my server hacked and when I trying to login to cpanel and after enter username and password show the hacked page. please help me to change the cpanel page. and what section I should check ? Regards
Posted by Tim Greer, 03-26-2008, 02:41 PM
You should ask your host for help ASAP. However, if you wish to seek help from the WHT members; Do you have a screenshot of the page defacement? It sounds like you've been compromised at the root user level (but maybe not, we'd need a screen shot to know for sure we understand the severity of the issue).
Posted by LoganNZ, 03-26-2008, 06:29 PM
Backup & migrate customer data to a new box, Rebuild OS on current hacked OS and reinstall WHM/CPanel & SECURE your server.
Posted by Tim Greer, 03-26-2008, 06:59 PM
We don't have enough data to suggest an OS reload and restore. It does appear that it's likely by the description that it's a root level compromise, but we don't know for sure -- it might just be account level and for that certain account.
Posted by jamesmoey, 03-27-2008, 04:30 AM
Scan for root kit. Best is to rebuild the machine from scratch.
Posted by eDedi, 03-27-2008, 04:43 AM
The only way to insure that your safe is to do an OS reload, The best way you can sort this out is by backing up what data you have and do a reload
Posted by blessen, 03-27-2008, 04:44 AM
Do a scan with rkhunter and see if the binaries are corrupted or not. Best solution here is to have the machine restored from the backup . Then get an experienced Security Admin to implement security measures in your server. That will reduce the hack attempts to a particular extend. Do you have backup? If yes then rebuild the machine and have the backup restored from the backup drive.
Posted by LoganNZ, 03-27-2008, 06:41 AM
RkHunter doesn't pick up everything
Posted by pcld, 03-27-2008, 07:00 AM
send mail from where u buy and say to give ur password back
Posted by 1boss1, 03-27-2008, 08:16 AM
What version cPanel are you running?
Posted by Serverevo, 03-27-2008, 10:28 AM
you should hire a admin service to check your server for vulnerable code, secure php and cpanel. rack911.com is a great one. -Greg
Posted by Tim Greer, 03-27-2008, 02:08 PM
There sure are a lot of suggestions about what to do, when we really don't know anything about how severe the compromise is. The OP has yet to post back. Let's wait to see if they do, because it might not be a root level compromise and an OS reload might not help. Additionally, without knowing what and how it was compromised, what good will an OS reload do if the attacker can simply just repeat the breakin?