How to fix a Hacked cPanel account

cPanel servers are prone to hackers and this post details hacked cPanel accounts. Usually, cPanel servers will have a diverse amount of people on them using all types of software. From WordPress to WHMCS it’s the end user’s responsibility to make sure the software they are running is always up-to-date. You should be running the latest security patches. The main types of compromise we define are;

• Site Compromise (This blog post)
• Server Compromise

We will cover both of these issues in separate posts and how to fix the problem so it does not return.

Hacked cPanel Account

A website that is compromised is usually running old software which the end-user has not updated. For example an old version of WordPress. When updates are released for CMS sites the security flaws are also published.

This means users can target specific areas of your website looking for a way to gain access to your files. If a malicious user does gain access to your files, it’s likely they will upload files like a PHP mailer. This will send out thousands of spam emails, will cause your mail queue to fill up and if left your server will fall over.

Servers crash in this manner due to the size of the mail queue and the CPU power it takes to process the queue. If we set up your server, we set a limit of between 50 and 100 emails per hour to be sent so this should stop your IPs from becoming blacklisted due to the spam. You should check your IPs for any blacklists and remove as appropriate.

How to fix a hacked website

Just removing the files will not resolve the situation. You will find the files will just reappear because the malicious user has access to the account. Changing the password will also not work. To fix the problem you will need to do the below points in order.

1- Identify the cPanel user which has had malicious files uploaded to their account

2- Remove the malicious files in question.

3- Update all software on this users account. WordPress, Joomla, themes, plugins everything should be fully updated.

4- Ensure the files have not been put back in the account while you were updating the software on the site

5- Change the password on the users account

6- Change all email address passwords

7- Change all FTP account passwords

As a matter, of course, you should ensure users change their account passwords. This increases security for everyone on the server and you should also set a default password strength for all users. To do this navigate to Home » Security Centre » Password Strength Configuration

Once you have done that you could also force everyone on the server to modify their passwords to make sure they meet your new default password strength requirements. You can achieve this by navigating to Home » Account Functions » Force Password Change

What if your site is up to date but still hacked?

Does your server have Sym-Link protection? It’s possible on Apache servers for a user in one account to gain access to another account if you are not protected against Sym-Link attacks. Web Host’s should already have protection for this type of hack. If your Web Host does not have this protection migrate away immediately.  Sinhcoms Hosting