Lets call this reseller account xyz. Their account was Suspended on Payment Overdue and remain Suspended until they cleared the dues. The issue was that the Suspended page hacked and defaced, rather than the Normal one.
This is how a normal Suspended page looks like :
The suspended page hacked looked like
Analysis
Web Templates for Default Website Page, Account Move, Connection Selection and Account Suspended would be placed in the directory /var/cpanel/webtemplates/root (For root). In Reseller servers, there would be a sub-directory by the main reseller account name where the templates are stored, for example /var/cpanel/webtemplates/xyz where xyz is the reseller account.
Possibilities
- A redirect rule in the .htaccess file of the accounts under reseller would have caused this
- WHM/cPanel compromised at root level (Less possibility, but if this was for a shared server it may happen)
- WHM/cPanel compromised at user level (Remember, all reseller accounts has individual WHM access
How was it done
There were no redirect rule in the .htaccess file. The second possibility was ruled out since :
- It was confirmed that the root templates are not touched
- Only the users under this specific reseller was affected
I went on and accessed the WHM with the reseller login credentials. The Web Template Editor looked like this
A Normal Suspended page Template would look like this :
If you are proficient in HTML, you can clearly understand the code and know what difference it would make.
Now I know what would have caused this. This specific reseller’s WHM login credentials was compromised and someone using that login has changed the Suspended Page template. Case Closed