Server crashed

[AffordableDomainsCanada]

I had someone email my support department an attachment, it was PPAF.PDF file, whmcs rejected the file as it is NOT an accepted filetype, and this is what the ticket says, I was able to open the ticket that says:

 

Attachment PPAF.PDF blocked - file type not allowed, and when I went to close the ticket, it was as I activated the file and the server has crashed and I cant get it to load. ??

[AffordableDomainsCanada]

Can a server be hacked by attempting to upload a file to the server ? My Server administrator is telling me the server has been hacked and root password was changed.

[brian!]

Can a server be hacked by attempting to upload a file to the server ? My Server administrator is telling me the server has been hacked and root password was changed.

you might want to open a ticket with support about this - i'm sure they'd like to know why closing the ticket triggered the file to run... if you still have the PDF itself, they might want to see that too to view the malware shell code inside it.

[AffordableDomainsCanada]

I think opening the ticket, triggered it. But there was no attachment.. just text saying it was blocked.

 

I dont have access via SSH anymore either, I have a systems administrator looking into it right now, I also opened a ticket but it was just marked answered with no reply.

 

I am going to see if I can get the PDF file, but i dont think it would have been uploaded to the attachments folder cause its not an approved file type so im not sure whats going on here.

Edited February 9, 2017 by AffordableDomainsCanada

[bear]

"affordabledomians.ca/cpanel", you typo-ed the domain.

[AffordableDomainsCanada]

So we got this issue sorted, after all this we were not compromised. There was some malicious code in the PDF document that was uploaded to the /attachments/ folder, and it ended up triggering an attempt login on cPanel, which then in return did a Permanent Block on over 100,000 IP Ranges. These IP ranges were from all over the world, I was not able to access the website from my desktop, my cell phone which I was on my carrier network not WiFi, and our remote server administrator whom is in India was not able to access the site.

 

"POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user redbull (locadcpdata failed)

 

We have since removed all IP blocks that were made yesterday and everything seems to be accessible now.

[bear]

an attempt login on cPanel, which then in return did a Permanent Block on over 100,000 IP Ranges

What in cPanel would block huge ranges just because of cPanel login attempts (that happen constantly)?

Was it something like cpHulk that can block a user and not IPs, maybe?

[twhiting9275]

Folks, this is why following these further security steps is imperative!

This is just basic web application security 101 here

always move folders public can upload things to... always!!!

Never store this stuff in public_html

 

That's not saying it's going to be impossible to hack, but it'll make it harder to execute code and hack if you follow those practices!

[bear]

always move folders public can upload things to... always!!!

Where did he state it was triggered by someone from outside and not by trying to view the ticket? Though one possible cause, you make it sound like that's definitely what went on here.

It might well be the two aren't related, and the PDF incident was coincidental. I still find "over 100,000 IP Ranges" doubtful, though.