Compromised???
Posted by Chinese Democracy, 04-20-2009, 12:01 PM It appears that one new sign-up on a shared Cpanel box was able to somehow attempt phishing using OTHER clients domains. This happened 3 times on the same server (that user is now deleted) Example: Note that this happened to 3 different client's, in the same method! How is this possible??? mod_userdir is enabled suPHP is enabled Running PHP 5.2.9 w/ suPHP as mentioned and Apache 2.2 Keep in mind, these are 3 long time good customers. Here's the strangest thing, the files were NOT uploaded under the ''goodclients" accounts at all, only linked that way. How is that possible?
Posted by ServerManagement, 04-20-2009, 01:08 PM You have to check the logs to see how it got there. It could have been through an insecure script, weak password, vulnerability in another account, etc. You also need to increase the server's security to prevent the most common types of hacks that cause that.
Posted by brianoz, 04-21-2009, 04:00 AM That isn't a hack, it's just using mod_userdir to make it look like the files are linked under the other user's directory.
Posted by Chinese Democracy, 04-21-2009, 01:33 PM mod_userdir protection is enabled, so how is that possible?
Posted by brianoz, 04-21-2009, 07:00 PM I have no idea but the two obvious alternatives are that it is either broken or configured incorrectly. I'd test to see which is the case. If it appears to be broken, may be worth doing an apache recompile.