VPS hacked - Iframe Redirect

[akreider2]

My VPS got hacked.

Interestingly, I have four cPanel accounts. Only one of them got hacked.

The attacker added an iframe redirect to the bottom of the page for around 20 index.html/index.php pages.

They did this on Aug 30, 2009, at 11:30am (took them 2 minutes - so probably an automated script)

I just realized that we're often logging into cPanel using domain.org:2082 which sends the password unencrypted. I've been doing this for perhaps six years on one of my websites. Is this a likely cause? Any other suggestions?

I've filed a support ticket...

[JPC-Rizwan]

Hi akreider2,

This kind of iframe injections are usually caused by weak ftp passwords, make sure you are using strong passwords for any of the logins you use for vps, accounts, sub accounts.

Also avoid using plain ftp logins and for any ftp activity for your accounts use sftp. Also making sure that all applications in this account are running on latest stable versions reduces the chances of such hacks/injections a lot.


The access logs for the account and vps logs can give some idea on how this was done, so steps can be taken to avoid such hacks in future. We will check your vps and let you know our findings in your ticket.

[akreider2]

Is there a way to disable plain ftp?

[akreider2]

WHM - FTP server configuration.
I set TLS Encryption Support to "Required"

Before it was "optional".

[akreider2]

How do I disable unsecure cpanel and webmail (ports 2082 and 2095)?

I found the setting to redirect them. But it only redirects some of the time (www.domain.org/cpanel redirects, but www.domain.org:2082 does not).

[JPC-Rizwan]

WHM - FTP server configuration.
I set TLS Encryption Support to "Required"

Before it was "optional".

Yes this is correct.

For enforcing secure cpanel or webmail logins if applying that from Tweak Settings is not working , then it will need to be checked further.
Please update the ticket with required logins and we can check that further.