Hi, Cyberpanel Community support. I was in big trouble for a few hours because one of my client sites was hacked today. I don’t know how it happened but it was a big issue for me and for my client. I don’t want to disclose the site link here but I share you the screenshot of the hacked page.
When this site was hacked, whenever I open the site link it always shows the hacked page. I deleted the website from the cyber panel and purge chase from the cyber panel. But, it always shows me the hacked page.
After that, I again create a site in the cyber panel and reupload the site and database then my client site starts normally.
Now I switch on the Under Attack Mode feature of the Cloudflare. I’m afraid of this attack. Do you please help me to check or give me information to secure this site?
Hello @stay Happy you are here
Sorry for the unfortunate news
If you do not need any data in your server you can reinstall your snapshot from a earlier date or reinstall the OS. I recommend Ubuntu 20.04 LTS or AlmaLinux 8.4
If it is just one site that is affected and you have confirmed this through your security scanners then delete every file under /home/mydomain.com/public_html.
If the customer self-managed this website kindly ask them to pay for a clean up.
How to protect your CyberPanel server:
- Configure your Firewall - 1 - Firewall - Docs - CyberPanel Community
- Secure SSH by disabling root access - 2 - Secure SSH - Docs - CyberPanel Community
- Setup Backups for your client’s data - 1 - Add/Remove Destinations for Incremental Backups - Docs - CyberPanel Community
- Install Imunify360 - How to install and use Imunify360 on CyberPanel - Docs - CyberPanel Community
- Use IPS like IPsum or CrowdSec to block blacklisted IPs - CyberPanel Automated Blacklist IP using IPsum with CSF every 24 Hours - Docs - CyberPanel Community
- Setup Custom ACL for your users disallowing specific services per account - 1 - Managing Users - Docs - CyberPanel Community
Addition to previous post. Use backup time before hacked and change cyperpanel, WP admin, FTP etc… passwords and check there is no any hacker added admin users. Change also site database password and prefix.