I have some subdomains running in all in wordpress. They worked fine but when I tried to install or delete or update any plugin, wordpress was showing me a message that i need to connect ftp and all info, which we didn't. Later I tried to login my cpanel whm, I got redirected back to a error page
Internal Server Error
500
Error ID 25356b0625763
cpsrvd Server at mydomain.test
What could possibly go wrong and how can I recover it?
And yes, I see hacker placed a text that they hacked it. In main site, there was nothing hosted, all were in subdomain..
I've written some articles that specifically answer the question that you've asked about how to recover:
https://support.cpanel.net/hc/en-us/articles/360055310013-What-can-be-done-if-a-cPanel-account-is-compromised-
https://support.cpanel.net/hc/en-us/articles/360061360914-Is-it-possible-to-clean-malware-from-a-hacked-website-
As for what went wrong, that can be and is most often a very complex topic that requires a high level of expertise to properly and accurately diagnose.
That type of investigation would be risky and unreasonable to do via Stackoverflow due to the amount of identifiable server information that you'd need to provide.
I'd also like to mention that an account compromise occurs due to vulnerabilities in the websites and scripts hosted within the account and that those compromises will be contained within that individual cPanel account unless the attack were to make use of the symlink race vulnerability, which should be solved at the kernel level to be done properly:
https://docs.cpanel.net/ea4/apache/symlink-race-condition-protection/
cPanel's Security Advisor will let you know about the status of the symlink race vulnerability on your specific server:
WHM >> Home >> Security Center >> Security Advisor
There are no known vulnerabilities in cPanel or WHM that would allow for an account-level compromise to escape an account or allow a root compromise to occur.
If you suspect that you've discovered a zero-day vulnerability in cPanel or WHM, you should submit a ticket to cPanel support, as the issue would be taken very seriously.
However, the process of investigating and diagnosing the cause of an account-level compromise that came about due to a vulnerability in a website or script is something that a security specialist would be best equipped to take care of for you. Typically you'd want to seek out a Web Application Security Specialist.
As for the 500 error that you're seeing provided by cpsrvd (cPanel's webserver that handles requests for the cPanel, Webmail, and WHM interfaces) that is not likely related to the compromise. You can typically find more information about the cpsrvd 500 error by reviewing the cPanel error log at:
/usr/local/cpanel/logs/error_log
cPanel support would always be happy to assist with any 500 errors that you're experiencing on cpsrvd.
Related
Anyone familiar with firebase, or just wordpress tech in general, willing to help me with an error I created?
Experimented with adding firebase to one of my sites, mainly trying to get a good 301 redirect going. Didn't pan out, tried deleting everything but for a while now I get this error when trying to load my domain.
I tried reinstalling a new ssl cert in my host, but that didnt do anything. Dunno where else to look to delete or edit files.
Your connection is not private
This server could not prove that it is kylebeckerconstruction.com; its security certificate is from firebaseapp.com. This may be caused by a misconfiguration or an attacker intercepting your connection.
You should look at the DNS records for your domain, as it appears they are likely still pointing to Firebase. You can use the dig tool (Linux/macOS) for this:
dig +short mydomain.com
If the resulting records look like:
151.101.65.195
151.101.1.195
then you are still pointed at Firebase Hosting and should change your DNS records with your domain provider.
I am trying to learn how to implement a DNS server, and am looking first at Heroku.
Why do they have # point to hidden-sierra-7936.herokudns.com.? Why not just foo.herokudns.com., or better yet, herokudns.com. (no subdomain), or even better, heroku.com. (main website). What are the reasons for this? Is it security, performance, architecture-needs, something else, all of the above? More specifically, what are the details of these reasons, does it depend on the number of requests coming through and that's why the <dynamic-name>.herokudns..., so there are a lot of them? Or perhaps if there is an error in one they can quickly switch it?
Finally, can these reasons be avoided/countered/argued-against so you could make the domain a little nicer and just do heroku.com.? Why can't you just do it on heroku.com.? (If you were building Heroku that is, obviously Heroku doesn't support this).
I am also looking at this. It looks like Heroku used to do it like proxy.heroku.com, but for some reason they switched it. Why?
As far as using subdomains on .heroku.com, this is at least partly a security mitigation.
Consider the arguments made in this blog post from GitHub, published when they moved Pages sites from .github.com to .github.io:
There are two broad categories of potential security vulnerabilities that led to
this change.
Session fixation and CSRF vulnerabilities resulting from a browser security issue sometimes referred to as “Related Domain Cookies”. Because Pages sites may include custom JavaScript and were hosted on github.com subdomains, it was possible to write (but not read) github.com domain cookies in way that could allow an attacker to deny access to github.com and/or fixate a user’s CSRF token.
Phishing attacks relying on the presence of the “github.com” domain to create a false sense of trust in malicious websites. For instance, an attacker could set up a Pages site at “account-security.github.com” and ask that users input password, billing, or other sensitive information.
So my wordpress site domain is from Godaddy, and hosted in a hong kong server, as our target users are mainly from hong kong. When i wish to improve SEO and started submitting backlink to directory sites, i always get the error message of "The URL could not be validated. Either the page does not exist or the server cound not be contacted."
I have read from another platform that someone commented: You're getting the error because you're using an SSL that belongs to someone else. When these directories attempt to verify your site using the "https", they get a warning that says your site is potentially harmful and the third party SSL is the reason given. My suggestion would be to buy an SSL directly from your web host or from a reputable SSL company."
But unfortunately, i can't ensure if this is the right direction and how can i do that.
Could someone teach me please? By the way my website link is , hopefully you can find some clues with the link. Thanks in advance.
https://www.bananaportal.com/
Have you tries https://easyengine.io/docs/lets-encrypt/
Most trusted and almost free SSL certificate for everyone to install fully Secure and trustable certificate that widely accepted in the world.
The certificate itself is fine. You can see the results of two different tests here:
https://www.sslshopper.com/ssl-checker.html#hostname=https://www.bananaportal.com/
https://www.ssllabs.com/ssltest/analyze.html?d=www.bananaportal.com
Many directory sites are unable to process https, and that might be the source of your problem. In any case, directory sites aren't going to improve your SEO anymore.
The issue relates to esoteric web browsers, you can read more on it here: https://community.letsencrypt.org/t/some-browser-say-certificate-is-not-trusted/28766
It is also important to mention, that your current certificate is doing perfect on encryption, but the authentication is the simplest and cheapest (free) possible. You've never showed any legal document that prove your claimed identity, in order to receive the certificate.
You can be more impressive with a Verisign payed certificate.
I have a running website (based on ASP.NET MVC) on some domain, let's say mydomain.com
Yesterday I was looking into site access logs and I noticed very weird logs: inside it, I saw different domain!
Something like anotherdomain.com/somePage
And I saw exception text in my log saying that 404 - anotherdomain.com/somePage can't be found. It looks like somehow my code running on some other domain (Request.URL show different domain).
How it is possible? Does that means that someone somehow got access to my host (I running on Azure) and steal my binaries and deployed on another host? Or maybe my website opened from iframe?
I need to understand in order to determine whether I have a breach.
If I had to guess, I would bet that someone accidentally set their domain's DNS records to point at your server. You can check where the A record for the domain is pointed with nslookup or whoisfrom the command line. If they are in fact mis-configured, you should contact the site administrator to let them know. This kind of mis-configuration, while uncommon, can happen more frequently with cloud services due to the inherently transient nature of the servers and routes used.
It's actually possible to make a GET request to access other domains, via your domain, to check if there's a badly configured proxy. Since you're not, it simply returns a 404 Not Found because you are not actually hosting those pages.
Scans like these happen all the time and is an unfortunate side effect of being connected to the internet, but does not mean that you are under attack or that someone has access to your host.
We've recently released the latest version of our intranet application, which now uses windows authentication as standard, and needs to be able to connect to a configured SQL server with the end-user's domain credentials.
Lately we've found that on a couple of customer deployments, although IIS can see the user's domain credentials, it will not pass these on to SQL server. Instead, it seems to use the anonymous account. This is in spite of following all the correct steps (changing the directory security to Win Auth, updating Web.Config to use Win Auth and denying anonymous users).
I've been doing a lot of reading that suggests we need to make sure that Kerberos is in place, but I'm not sure (a) how valid this is (i.e. is it really a requirement?) or (b) how to go about investigating if it's set up or how to go about setting it up.
We're in a situation where we need to be able to either configure IIS or the application to work for the customer, or explain to the customer exactly what they need to do to get it working.
We've managed to reproduce this on our internal network with a test SQL server and a developer's IIS box, so we're going to mess around with this set up and see if we can come up with a solution, but if anyone has any bright ideas, I'd be most happy to hear them!
I'd especially like to hear people's thoughts or advice in terms of Kerberos. Is this a requirement, and if it is, how do I outline to customers how it should be configured?
Oh, and I've also seen a couple of people mention the 'classic one-hop rule' for domains and passing windows credentials around, but I don't know how much weight this actually holds?
Thanks!
Matt
This is called the Double-Hop Problem and prohibits the forwarding of user's credentials to third parties. This occurs when they browse from one machine, against a site on another (first hop), and forwarding the credentials to a third machine (second hop).
The problem will not appear if you host IIS and SQL Server on the same machine.
There's alot more technical details published on this at How to use the System.DirectoryServices namespace in ASP.NET, which explains the double-hop issue, and primary and secondary tokens.
To run your application under the user's Active Directory or Windows credentials, ensure these:
the IIS application is set to NOT allow anonymous access
the IIS application uses Integrated Windows authentication
your connection string should have Integrated Security=SSPI to ensure the user's Windows/AD credentials are passed to SQL Server.
i.e. Data Source=myServerAddress;Initial Catalog=myDataBase;Integrated Security=SSPI;
You state you're not sure "how to go about investigating if it's set up or how to go about setting it up".
For this I'd heartily recommend a tool called DelegConfig. It's a very handy app that you can tell you if kerberos is setup properly.
Unzip it into a directory, configure a virtual directory in IIS to point to it. Browse to the main page and you tell it which backend server you want to allow access to (e.g. UNC, SQL, HTTP etc..) and it tell you its setup correctly or not and explain why.
It even has the abilty to recongiure the kerberos to fix the issue if you so desire (although I've not used this - I'd rather reconfiguire it myself to understand what I've done in future)
I realise this comes too late for your particular problem but thought it worth sharing for others that follow - especially the tools ability to explain why delegation is or is not working. I've found it invaluble.