Published on: October 3, 2014 by Vipin R.N
Scenario:
Lets call this reseller account xyz. Their account was Suspended on Payment Overdue and remain Suspended until they cleared the dues. The issue was that the Suspended page hacked and defaced, rather than the Normal one.
This is how a normal Suspended page looks like :
The suspended page hacked looked like
Analysis
Web Templates for Default Website Page, Account Move, Connection Selection and Account Suspended would be placed in the directory /var/cpanel/webtemplates/root (For root). In Reseller servers, there would be a sub-directory by the main reseller account name where the templates are stored, for example /var/cpanel/webtemplates/xyz where xyz is the reseller account.
Possibilities
How was it done
There were no redirect rule in the .htaccess file. The second possibility was ruled out since :
I went on and accessed the WHM with the reseller login credentials. The Web Template Editor looked like this
A Normal Suspended page Template would look like this :
If you are proficient in HTML, you can clearly understand the code and know what difference it would make.
Now I know what would have caused this. This specific reseller’s WHM login credentials was compromised and someone using that login has changed the Suspended Page template. Case Closed
Category : cPanel, Linux, Troubleshooting
Add new commentSIGN IN