New cPanel accounts created in "hacked" state

[madsmao]

First, let me explain the issue I'm having: Quite simply, when I create a new cPanel account, through WHMCS, the account get's created with an index.htm file from a hacker team.

 

Now, a bit of backstory: I had a cPanel server hacked (completely rooted) a while back, so I set up an entirely new server (the one which is now experiencing this issue), and moved all customers to that server instead. The new server has much tighter security, and runs CloudLinux as opposed to an old CentOS 5 install. I scanned and validated each customer account before moving them to the new server, and I have not seen a single sign of suspicious activity since the move —****apart from this issue with the new accounts.

 

The issue is clearly related to creating accounts through WHMCS, because accounts created through WHM don't have this issue. That's why I am posting this in the WHMCS forum, and not on the cPanel forums (although I may post it there too).

 

I can clearly see that accounts created through WHMCS have the public_ftp and public_html directories timestamped almost 2 months back, whereas accounts created through cPanel have accounts timestamped with todays date.

 

My question is: How can I best figure out where WHMCS is copying files from?

It seems like the files are copied from somewhere on my server (something that must have leaked over from the hacked server), and I would really like to figure out what's going on.

 

I should add that WHMCS runs on the new cPanel server, but it's an entirely new install of WHMCS. Only client are templates have been copied from the old install.

[BizzHost]

When a cPanel account is created in WHM files are copied from /cpanel3-skel/public_html folder of the main account (reseller account). If this folder contains an infected/malicious file then all new accounts will get this file right from the start.

Placing a malicious file in the /cpanel3-skel/public_html folder is a common method of hackers to get access to newly created account.

You may want to check this folder for any malicious content. cpanel3-skel folder is present in the root of the reseller account or the server's root

[madsmao]

I guess I wasn't super clear about that, but I already checked that folder. It's completely clear of malicious files. New cPanel accounts created directly through WHM are not infected in any way. Only accounts created through WHMCS.

[wrender]

I could be wrong about this, but I don't think WHMCS copies files to cPanel/WHM. It just uses cPanel's API to connect. So, it does seem like it is your cPanel server that is hacked. Have you tried setting up a brand new cPanel server, and then connecting your WHMCS to it, and then creating a new cPanel account on that server through WHMCS?

[madsmao]

I agree with you that it's most likely an issue with the cPanel server, but there is clearly a difference between new accounts created through WHMCS and WHM. The accounts I create through WHMCS are created with the "hacked" index.htm file, and the accounts I create through WHM are created without any index.htm file at all (which is correct for this cPanel server).

 

And, as I stated earlier, the cPanel skeleton directory (/root/cpanel3-skel/public_html) does NOT contain the "hacked" index.htm file, so it's clearly located somewhere else — and only used when accounts are created through WHMCS.

 

Could there be some kind of hook that's only run when creating accounts through WHMCS, and how would I find out if that's the case?

[merlinpa1969]

a quick find for a portion of the code in the hacked file at the server level should give you the answer on where its coming from

[madsmao]

Yeah, I think I will have to do that. I will report back with my findings.

[madsmao]

I managed to find the time to search the file system for the "hacked" index.htm template. I turns out that this was indeed an issue related to cPanel.

 

What I didn't take into consideration was that I was creating accounts in WHMCS through a cPanel reseller account. That means I end up using /home/reselleruser/cpanel3-skel as the skeleton directory. That's where the "hacked" file was hiding.