Someone logged into my cPanel account without my knowledge.
Suddenly you wake up one day and discover that your website was reported for suspected malware in google safe browsing, your web page has errors, redirects to suspicious sites and you have directories and files created in /public_html in your cPanel account that you don’t know where they came from.
Welcome, your cPanel account was attacked. The first step to solve a problem is to accept that you have it and it is real. Now, how can you fix it, what options do you have?, look at the horizon, take a deep breath, make yourself a coffee and let’s solve it.
The steps below will help you re-establish confidence in your inner strength and get your site back online as it should be:
Don’t panic, verify all access to your cPanel account, change your passwords and enable 2FA
First things first, if your site was compromised, you should assume that all your account information was compromised as well, including all the passwords and users you have on it, from cPanel access, database access passwords to MySQL databases, FTP accounts and mailboxes.
You can start by reviewing the access history on your cPanel through the interface, this can be done by opening the “.lastlogin” file from the file manager, you can open the file manager in the “Files” section “File Manager” option in your interface. (If you do not find the file in the root folder of your hosting account, check that you have enabled the option to view hidden files in the file manager interface).
Right click on the file and select the “View” option in the pop-up menu, the following information will be displayed:
There you will find the most recent access IPs to your account, if you notice records from unknown IPs (usually from different countries than where you are) it is highly probable that the attacker had access to your account with your data, you can verify the country to which an IP is associated by typing the address here, this also indicates that your access data was stolen, usually this is done through phishing emails (learn more about phishing here).
Security tip: Remember that no one, never, ever, not your loved ones, your partner, your dog and much less a stranger, should ask you for access data to your account, especially through an email informing you that there is something urgent to do in your hosting, and repeat with me, “Never trust, always verify”.
If you receive messages asking to use your data, contact your hosting provider, but by default assume it is a malicious email, always.
Now to change all passwords, start with your cPanel password, you can do this in the user menu inside the interface or ask your hosting provider to change it for you (We at Winkhosting.co can do it directly or you can do it from our client area even if you don’t have access to cPanel).
The password change option is located at the top right of the cPanel interface and looks like this:
By clicking on the user menu button (blue color), the popup menu will be displayed that includes the option to make the change with the name “Password & Security”.
Clicking on “Password & Security” will display the password change form like this:
Type your old password, and the new password in the requested fields, try to use a strong password, do not write the name of your company next to the current year, do not underestimate the intelligence of an attacker (MyCompany2023 is not a good password, it will never be, trust me).
The form will tell you if the password is strong enough, try to pay attention to the indicated score before continuing, if it is too “easy” it will probably not let you change it.
Finally click on the “Change your password now” button and the password will be modified, remember to take note of the password you set and save it in a safe place (I recommend KeePass or similar software, try not to use online services to save your passwords, we already know what has happened with those services, sooner or later they end up attacked and your passwords all over the Internet).
Now your mailbox passwords. In your cPanel go to the section “Email” option “Email accounts”, there you will find the list of existing mailboxes, with a lot of patience, change the password of each one.
When entering the option, a list similar to the following will be displayed:
Click on the “Manage” button corresponding to the mailbox you want to change the password for and the corresponding form will be displayed.
In the indicated field, type the new password or generate a new one with the “Generate” option on the right side. (As always, use strong passwords, if you have trouble remembering them use a password manager where you can save them and do not use the same password for all your accounts).
To apply the change, click the button at the bottom of the form with the text “Update Email Settings”.
And that’s it, you have changed your mailbox password. Now do the same procedure for each of the accounts, if there are many… sorry, there is no other way to do it, you are alone and nobody is going to come to help you but yourself, you can do it, believe in yourself (applies for life and changing passwords).
Now let’s go to the FTP accounts (if you still use FTP).
In the “Files” section of your cPanel you will find the option “FTP Accounts”, when you click on it you will be shown the account creation form and at the bottom the existing accounts. We are interested in the accounts under the heading “FTP Accounts”, the accounts under “Special FTP Accounts” do not require changes.
Once in the form you will see information like this:
Check the list of accounts under the highlighted title and initiate the password change by clicking on the “Change Password” option for each account.
The form is self-explanatory, type in the new password or use the password generator to change it and then click the “Change Password” button to finish.
We’re not done yet, look at the picture of another puppy, go get another coffee, stretch and come back. Now let’s move on to 2FA (Two-Factor Authentication in cPanel) activation.
Now that you are rested and with new energy, let’s move on.
To activate 2FA in your cPanel account, verify that the option is available in your interface, if it is not, contact your hosting provider and request its activation and if not, we will always be happy at Winkhosting.co to welcome you as a new customer.
Go to the “Security” section and then to the “Two Factor Authentication” option:
Install on your phone an application to handle two-factor authentication codes, Microsoft and Google offer alternatives or you can consult third-party options. Once you have the application, you can read the QR code shown in the form or add it manually with the information below the image:
Once added in your application on the phone, use the security code shown on it to type it in the “Security code” box in step two of the form and click the “Configure two-factor authentication” button to finish.
And that’s it, you have changed passwords and enabled 2FA, if the attacker had this data you can relax, let’s continue with the files and report on google safe browsing.
Check your files, restore a backup if possible.
In an ideal world, if you don’t have time to investigate, delete all the files inside /public_html and restore a recent backup (always make a backup of the files before deleting them, these can serve as evidence if required).
Keep in mind that an attacker can also store malicious code in databases, restore the latest backup of your databases if possible and do not generate further loss of transactional information.
If you delete and restore a backup, there is usually a question in the air about which files were modified and uploaded by an attacker (which is of great interest to infrastructure and hosting providers), if you do not have experience in this type of task, we recommend that you contact your hosting provider and ask for support to review the affected files.
Security recommendation: Also try to keep updated all versions of the software you use for your websites, usually there may also be known vulnerabilities in popular content management systems such as Wordpress (source code, themes and plugins). Don’t neglect the maintenance of your websites, many people assume that what is secure today, will be secure in a few months, only to find out otherwise in unpleasant ways.
In our company we have real time protection against malware and malicious files. We usually receive reports indicating which files are affected and the type of infection detected as well as the quarantine of the same, if your hosting provider can not help you or does not have such service, you know what to do, count on us.
Once you confirm that your files and databases were restored with clean copies and any other malicious content was removed, you can proceed with the report removal request in google safe browsing.
To do this we will give you the general steps, the details can be found directly in the Google documentation:
Register your website in google search console.
For this you must have a gmail or google workspace account to access these tools and follow the steps requested by google to register the ownership of your website.
Check the security reports in the “Security issues” option in the “Security & manual actions” section. There you will be shown the details of the report you have active and you can request a review, google’s review can take up to 72 hours, be patient and wait for the result.
That’s all, remember that this guide may not cover the specific case you are facing, if so, do not hesitate to contact us to help you to restore your website.
