Breached cPanel - multiple logged logins even with 2FA enabled

[dorianc]

Hi everyone,

I have a problem that I've never experienced before, having years of experience with cPanel and various application attacks as I work in the web security domain mostly. The attacker is constantly creating phishing pages in the /public_html. I'm going mental for days and can't find the source or a direct point of breach.

2-FA is enabled on all cPanel accounts.
ModSec is on with the standard rules.
Only one account out of 4 is compromised.
The only application on that cPanel account is WordPress.
Domain and web server logs have no records on the IP prior to the cPanel login.

I've been tracking logs like crazy - and they all point that the attacker simply comes to the login page and - logs in, even with 2FA enabled. Then he simply navigates with File Manager to edit the files he needs.

/usr/local/cpanel/logs/session_log:[2022-07-22 22:17:08 +0000] info [cpaneld] 181.214.165.82 NEW USERNAME:kFas7oPpoXNXaoBw address=181.214.165.82,app=cpaneld,creator=USERNAME,method=handle_form_login,path=form,possessed=0

Any tips, help, suggestions would be more than welcome.

 

[cPRex]

Hey there! This issue might be better handled through a ticket so we can actually see the server and ensure no compromise on the server side is helping this happen. If you are able to make a ticket, please post the number here so I can follow along.

 

[dorianc]

I went with Host Access Control by allowing only the owner's static IP to the cPanel access. This should lock it down completely. Common sense applies that WP plugin or theme is vulnerable to some kind of an attack - but the logs are stating a completely opposite situation as the cPanel login page is accessed first by the attacker - there's absolutely no trace of any kind of exploit or vulnerability attack in the web server logs. Restricting cPanel access to one IP should patch it up temporarily.