Tracking Down Hacker in cPanel Servers!

Well there is this client of mine using Joomla with thousands of plug-ins and components is being hacked continuously! well the thing is creating a website is always easy! there are thousands of mods, components and other stuff available for open source content management systems like Joomla! but to keep it safe and patched of security holes that are being find everyday! well that is a challenge not everyone can take!

There is a bug somewhere in all these components and plugins which allows the hacker to upload his malicious files into our server. Well seems the attacker is using our server to send spam mails to his haters! I’ve found all the Shellers, and phpmailers he uploaded to the server and waited for him to come back for like 3 days and seems I got him today! He successfully uploaded a PHP Sheller into the media directory of the Joomla.

What I did here was to download the Apache RAW of the account and look for the PHP Shell file that he uploaded! well it is obvious that he is the one who uses this shell right? so by searching for the shell name and address I’ve got his IP ! mmm Brazil.

Well of course there are tones of requests by this IP to the website since there are thousands of CSS, JS and other static files on the Joomla site! But the next step is to look for the first requests of him by searching his IP address instead in the Apache LOG File.

I’ve found a interesting URL that he accessed firstly which belongs to the “com_fabrik” and allows him to upload a CSV file into the server! Gotcha! there is the thing! He uploaded his very first PHP sheller through this!

So now I can consider this component as a vulnerable and I can force the customer to do something to maintain security for this matter! well either removing the whole component or fixing the bug by updating it or changing the configuration will be the solution.

well always remember! you can find many things by checking your log files! a quick tip for how to get a website apache log file in cPanel/WHM :

  1. Login to WHM and Look for “Raw Apache Log Download”
  2. Select the domain that you want to see the logs for
  3. Download the generated file! unzip it!
  4. this file does not have a proper extension that can be opened by windows! Basically the extension is the domain TLD of the Account. and if you are running on windows .com extensions will be executed through CMD! to open the file in text editor just right click on the file and choose your desired text editor from Open With Option!

 

I suggest you to have some monitoring system with daemon services that check every new file uploaded on the server! so you will be notified by email and you can go for your search in the log file! it’s kind of impossible to monitor all the files manually!

in some cases its necessary to use mod DumpIO for Apache to log every single post value from clients to the server and then check them! for example if there is some sql injection or some other injections to your normal scripts to find out that what causes the hack you require to use this module! using this module needs attention because this module will generate large log files. this mod must be used only for debugging.

I will be posting a tutorial of How to use mod DumpIO in case see some interests on the comment section!

Have a Long Happy Day everyone.

  • How to detect hacker in cPanel server
  • find hacker in cPanel server
  • How to find the hacker using log file
  • Apache log file hacker
  • find shell uploader in apache log file
  • who upload PHP shell in apache log file

Incoming search terms:

  • shellers for website hacking
  • server hacking cpanel
  • https://yandex ru/clck/jsredir?from=yandex ru;search;web;;&text=&etext=1829 4Rqoo0iQbt_SGpU6xB-39aNRUkHaJ8rs_gCmCKMYUeA47AKIG1i2_kt61RT4Pj8Q 1716a218cf0a72a64392b04fd8873f72c9d2cb2e&uuid=&state=_BLhILn4SxNIvvL0W45KSic66uCIg23qh8iRG98qeIXme
  • how to hack a website cpanel
  • how to findout wevsite hacker from cpanel
  • hacke cpanel
  • find cpanel login on server shell upload
  • download shell hack cpanel all server
  • cpanel hacker tracking
  • camera hacks cpanel

3 comments

  1. Hi, Mahdi, In passage(1), exactly how do you find the first activity of hacker? I am having same issue, hoping you can share some tips, thanks.

    (1)
    Quote:
    well it is obvious that he is the one who uses this shell right? so by searching for the shell name and address I’ve got his IP ! mmm Brazil.

    PS.: Please erase previous comment I made, I forgot to set Notification via email in that one.

  2. Looking at the post request to the hacked website domain will give interesting information. You can find the files that the requests are sent to and then you can check them out.

  3. Thanks for this informative article. We have been under attack for the past two weeks with this problem. Hopefully we have moved things behind an appropriate firewall, but I was curious to find the bugger doing this, so I used CMD to ping the few IP addresses I could glean from the traffic on the cPanel server. I discovered that the 2 or three consistent problem hacks were routed through VPN, making it hard to do either IP or MAC lookup. What can you do about that?

Leave a Reply