Cpanel compromised please help

8 replies
These same key words:
online reputation management akado
granger whitelaw avia
easylifeapp profile

are showing up in Awstats in search key phraes and keywords

These are not any keywords I have ever used.
Different kinds of sites
bookstore
survival site
kayak
many different types of sites

My question is how could someone else have gotten these keywords into all these sites?????

Any help will be greatly appreciated
Thanks in advance
#compromised #cpanel #spam keywords
  • Profile picture of the author vishwa
    probably some have tag your site with these keywords. have you check it in Google?
    Signature
    Bloggershook.com- Blogging, and Digital Marketing
    {{ DiscussionBoard.errors[9392525].message }}
    • Profile picture of the author willow77
      Thanks for your reply.
      What I don't understand is I have a bunch of domains with a lot of different types of sites
      and when checking the awstats in cpanel
      which shows keywords that are ranking in search engines.

      The same 3 keyword phrases are showing up on almost all the
      sites that are in my cpanel.
      I didn't use these keywords for any of the sites, so how could that happen?
      Thanks for your help
      {{ DiscussionBoard.errors[9392697].message }}
  • Profile picture of the author KenW3
    Offhand, I'd say it's more likely your sites were hacked than your cPanel compromised. When you say a lot of different types of sites, is this different niches but each use the same script or same content management system? If so and you have them all on the same host, they'd all have the same IP address. Once one was found to be vulnerable, any others can be quickly found.

    This is something that can happen when security updates and upgrades are not applied to site software and plugins. A friend had sites hacked when he neglected to update WordPress when updates became available. For example, if you are running WordPress version 3.7 and the current version is 3.91, your site becomes a target.
    {{ DiscussionBoard.errors[9392779].message }}
    • Profile picture of the author The Marketing Mom
      Go to Google and type site:yourdomain.com (replace yourdomain.com with your own domain of course).

      This tells Google to list all the pages on your site (that it knows about).

      Then see what pages show up. That might give you a hint to what is going on...
      {{ DiscussionBoard.errors[9393377].message }}
  • Profile picture of the author James Howard
    Are you using wordpress and if so are you using free themes?

    If you use free themes sometimes you will find they have links embedded
    in the theme usually at the bottom
    {{ DiscussionBoard.errors[9393642].message }}
    • Profile picture of the author desromic
      Security guy here. It is an exploit in AWstats. We are currently having the same problem, along with many AWstats users. Supposedly, it only affects AWstats below 7.0, but we just saw an exploit on 7.3. Then again, we didn't totally uninstall it from the old version, we just replaced the Perl files, so we are going to try completely removing everything relate to AWstats, upgrading Perl, and starting fresh. Also, try adding password authentication to your AWstats page.

      This problem does not effect cPanel or other parts of your system. The keywords are a marketing thing for a company in Finland called Akado. They are probably the perpetrators of this hack.

      Akado Oy - an Internet Marketing Company

      Here's more of my research:

      Awstats Awstats : List of security vulnerabilities
      AWStats Plugin Multiple Remote Command Execution Vulnerabilities
      AWStats - Security news and annoucements

      And a possible example of the code that actually exploits it:

      AWStats (6.0-6.2) configdir Remote Command Execution Exploit (c code)

      GOOD LUCK!!
      {{ DiscussionBoard.errors[9398129].message }}
      • Profile picture of the author desromic
        Additionally, it is likely achieved using the Lupper Worm: The Lupper worm [LWN.net]

        This just means it's likely a bot somewhere on the internet scanning for vulnerable WAstats versions and exploiting them.

        It is not likely an infection on your server or your network, but if your AWstats was only accessible to your internal network, then I would suspect one of your systems is infected.
        {{ DiscussionBoard.errors[9398146].message }}
        • Profile picture of the author willow77
          Thank you so much for everyone's help.
          I sure appreciate it.

          I never even thought about it being an exploit in AWstats. Wow

          Thank you especially desromic for all the detailed help, the links to learn,
          and especially for the fix.

          Actually desromic you could do a great WSO for cpanel security, you have
          lot's of knowledge, thank you again for sharing it with all of us.
          {{ DiscussionBoard.errors[9398765].message }}

Trending Topics