There is a new way of compromising accounts hosted on cPanel servers. Even if your account has all scripts updated to latest version it may be hacked in the following way:
If an account on the server is compromised because of a weak password or out of date scripts it can be used to create symlinks to configuration files which contain passwords
e.g. your mysql settings with mysql username and password. To avoid that from happening you should change the permission settings of your configuration files to 600. That allows read and write access for the file owner. Many people keep their configuration files with passwords chmod to 644 which allows read access for anyone and the hacker can read those files, read the passwords and compromise the accounts.
You can chmod your configuration files via your ftp client or via File manager in cPanel.
There has been a Linux Platform hack gathering speed in the last month which has already affected a couple of reputed Web Hosting companies in the industry. While there is no clarity on the exact method of the attacks, they seem to be targeting various plugins that might be part of the applications running on your websites.
Much like the Gumblar attacks last year, we suggest that you keep the Web Applications running on your websites up to date. This includes Joomla installations, or any other CMS which needs regular updates.
Here are a few things that you can keep in mind:
Always keep strong FTP Passwords (change it every 45 days is a good start)
Scan your local system with a good AntiVirus and Malware remover to make sure the system is infection free (Especially the machine used to upload data)
Avoid 777 permissions on any file or folder
Change your account’s passwords and never allow any software to save it
On our part, you can rest assured that we are taking all measures possible to avoid any such hack on our servers.
We advise all customers to review below industry computer system alert:
US-CERT is aware of a vulnerability affecting Microsoft Windows. This vulnerability is due to the failure of Microsoft Windows to properly obtain icons for .LNK files. Microsoft uses .LNK files, commonly referred to as “shortcuts,” as references to files or applications.
By convincing a user to display a specially crafted .LNK file, an attacker may be able to execute arbitrary code that would give the attacker the privileges of the user. Viewing the location of an .LNK file with Windows Explorer is sufficient to trigger the vulnerability. By default, Microsoft Windows has AutoRun/AutoPlay features enabled. These features can cause Windows to automatically open Windows Explorer when a removable drive is connected, thus opening the location of the .LNK and triggering the vulnerability. Other applications that display file icons can be used as an attack vector for this vulnerability as well. Depending on the operating system and AutoRun/AutoPlay configuration, exploitation can occur without any interaction from the user. This vulnerability can also be exploited remotely through a malicious website, or through a malicious file or WebDAV share.
Microsoft has released Microsoft Security Advisory 2286198 in response to this issue. Users are encouraged to review the advisory and consider implementing the workarounds listed to reduce the threat of known attack vectors. Please note that implementing these workarounds may affect functionality. The workarounds include
disabling the display of icons for shortcuts
disabling the WebClient service
blocking the download of .LNK and .PIF files from the internet
Update: Microsoft has released a tool, Microsoft Fix it 50486, to assist users in disabling .LNK and .PIF file functionality. Users and administrators are encouraged to review Microsoft Knowledgebase article 2286198 and use the tool or the interactive method provided in the article to disable .LNK and .PIF functionality until a security update is provided by the vendor.
In addition to implementing the workarounds listed in Microsoft Security Advisory2286198, US-CERT encourages users and administrators to consider implementing the following best practice security measures to help further reduce the risks of this and other vulnerabilities:
Disable AutoRun as described in Microsoft Support article 967715.