Portal Home > Knowledgebase > Articles Database > help me to remove suspendedpage.cgi

help me to remove suspendedpage.cgi

Posted by kandyjet, 06-07-2012, 02:19 AM
Hai folks, many of our client websites hacked and redirects to /cgi-sys/suspendedpage.cgi . * i try to remove the 301 redirects throught their cpanels 'redirects' applet, but i cant remove them even though cpanel tells redirect removed. * i check suspended accounts in WHM and there are no any suspeded accounts. * we have a shared reseller account. pls help me to remve this suspended pages.

Posted by Matt R, 06-07-2012, 02:20 AM
That's not because they were hacked. It sounds like you're a reseller, or have just a single cPanel account. I would suggest getting in touch with your web host directly.

Posted by kandyjet, 06-07-2012, 02:25 AM
indeed we are contated them, but no quick response from (just hxxt)them. so i just tried to remove few of urgent clients site redirects manaullay. Thanks for the answer matt.

Posted by kandyjet, 06-07-2012, 02:26 AM
btw, those redirects lands in HACKED BY VENKI NYRO HACKER AND ICP Hey Admin Where iz Your Security PATCH UR ASS NOTHING DELETED We are: |INDIAN CYBER PIRATES| WE V'L B B4CK SOON ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Dear Admin Don't Hate Us...Hate Your Weakness.....!!!!! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Web Site Has Been HaCkeD 4 ICP or Add Me email: HELL_BOY990@yahoo.com

Posted by SPINIKR-RO, 06-07-2012, 02:31 AM
Probably the old WHMCS exploit from last year if its a reseller account.

Posted by kandyjet, 06-07-2012, 02:38 AM
ofcase, i see few fake accounts has been creted in the whmcs. but i have no licence key or anything to do an upgrate. we are shared resellers.

Posted by SPINIKR-RO, 06-07-2012, 02:41 AM
If you have a reseller account and WHMCS provided then you have a WHMCS account and can download any software release with your license. Of course you dont even need to sign in to download security patches.

Posted by kandyjet, 06-07-2012, 02:49 AM
oh really i dont no this that we can downlod updates without licence key. great to know about this. thanks a bunch Ro..

Posted by SPINIKR-RO, 06-07-2012, 03:03 AM
No prob, You have a license key: admin/systemlicense.php Your WHMCS account is likely the same as your reseller account infromation but oyu may need to ask the provider. If it is the old security issue then I suggest upgrading or at least patching http://blog.whmcs.com/?t=43462

Posted by kandyjet, 06-07-2012, 03:07 AM
its too late now. but glad to learn somthing about security. now all in our reseller provider's hand. when i execute the billing path all i see is ------- 1&&$__id[1]==':'){$__id=str_replace('\\','/',substr($__id,2));$__here=str_replace('\\','/',substr($__here,2));}$__rd=str_repeat('/..',substr_count($__id,'/')).$__here.'/';$__i=strlen($__rd);while($__i--){if($__rd[$__i]=='/'){$__lp=substr($__rd,0,$__i).$__ln;if(file_exists($__oid.$__lp)){$__ln=$__lp;break;}}}@dl($__ln);}else{die('The file '.__FILE__." is corrupted.\n");}if(function_exists('_il_exec')){return _il_exec();}echo('Site error: the file '.__FILE__.' requires the ionCube PHP Loader '.basename($__ln).' to be installed by the site administrator.');exit(199); ?> 4+oV5E58YKNazN5gzPaSPgRv8bh0qfHuacHqr9MyrQ3lzA0TvgS4ZFeSkSUUmBGaG8HPgL9VzMf3 trRTI2c0jIDw29BIb/4vv66kWL/GP8ZezMidB9VDlMnNpNKDNQ0UNmFiRCYDzwjAgr2SZf4Srn/4 i6ci6ajgHvaG0ip43ldM6bpHyhTvD3HD48PZgeeXCnHsf+8WN9m9pMrTzpYUZpgZv9f70L0TdaF2 d/FBO7Qg2uBy7ZLv2qqccEYIZl9jr0j6xOLhMg7LiAYwqyHtxyaLR7LVY8rN0wpXRV1zDQDW+ahA JnSNTuB2GnrrdbimjuQKjW+3gHW0NzM7tBH/FSNHq+9fkZdPI8C0O+5rTODn8Z8Q6UInFm4Mnis8 mTRcZNM74BTNyknnOhkpiGIp7Xlnq6hXtt4ZN6JEe9/tBs9qRTa4LUkPyjBujbrmOnCSpwV+EYmZ WPJhnK+JVkgX9FlhYECeugR52aYR6W6Lae6mUNEAnUTG8HoYk7emV/tZU7Kds0Lm2rEccuF6k7jv 5JWLUTKFn+i1hnT2GM1HVeA0x6a3QTdPr0Bem4i/NEeWneLC5hKcI99Gz6PPRosMj24pmcgDXul0 bSwyJ5fWbvUIiQbi2B9W8bfqt7GjpcXgN/A/flXB2NH5Bwv+Adz+/pYsGBSF2G1AzupJn6QTT9iE LlCxZMPADy5tedV7cpx0jU+V0T8i28UES3kDVjl71yTtAnW9h44wK2I6uRRxxuuNa/2itfoIpu2t IUIzIkfZxkyFhwVrwhuvU5Lg671cysxObE+K+nnTj/OaNJ9VYekKD4qOpdRABlzAlVGprxEEuDFF...............

Posted by Zapokovalko, 06-07-2012, 04:34 AM
Keep us updated please.

Posted by racknap1, 06-09-2012, 02:12 PM
please check with your hosting provider if they have suspended it manually only they can unsuspended it or second thing please check your accounts file manger  public_html and find out if any cgi script lied in here.

Posted by harrison914, 06-09-2012, 03:29 PM
Yeah, check with your provider and always make sure your WHMCS installation is up to date. You may even want to change the admin directory so that it is a little harder to get to if someone tries to hack it.

Posted by KMyers, 06-09-2012, 04:23 PM
Hello, You should also look in the .htaccess to see if there is a redirect there as well

Posted by RackRhino, 06-09-2012, 06:14 PM
Yes check your .htaccess also look at your domain redirects in CPanel. ps: installing all the software you have, are you sure you CHMOD everything correctly to do your installs? and back after the installs?

Posted by kandyjet, 06-10-2012, 12:56 AM
Hai folks, i contacted the hosting to remove the redirect and now i see in clients cpanel that the permenent redirect has been removed. but still it goes to defaultwebpage.cgi. * there is not .htaccess file * there is no cgi scripts in the public htm or in the cgi_bin folder. * but now i can manually execute like this www.clientwebsite.com/index.html and it works

Posted by KMyers, 06-10-2012, 01:01 AM
See if there is an index.php file in the directory

Posted by kandyjet, 06-10-2012, 01:09 AM
awesome!! no index.php found, so i uploaded a index.php file and now works charm what a relief Now i can ask my client to simply upload his index.php file. thanks to the hackers they have not deleted any other files THANK YOU GUYS FOR THE GREAT HELP!

Posted by KMyers, 06-10-2012, 01:11 AM
See if there is a redirect script in the 404 error page

Posted by SPINIKR-RO, 06-10-2012, 01:14 AM
Is there a Suspended.page in the directory?

Posted by kandyjet, 06-10-2012, 01:25 AM
no folks, now i chk there is no Suspended.page or any redirects in the 404 error page..

Posted by racknap1, 06-13-2012, 01:10 PM
Hi, This page store under /usr/local/cpanel/ check this page and remove the coding, or overwrite it.

Posted by racknap1, 06-14-2012, 01:27 PM
HI, If you are running a VPS, then you must check it under /usr/local/cpanel/ check if any suspended-cgi script lied there.

Posted by KMyers, 06-14-2012, 01:32 PM
I am not sure why you keep posting this, the OP Clearly stated "we have a shared reseller account."

Posted by DWS2006, 06-14-2012, 04:47 PM
If your WHMcs install hasn't been patched, be sure to lock the installation (via file permissions or password protection) until the upgrade/patch has been completed. After the recent WHMcs breach there are more idiots than ever looking for outdated/insecure installs.

Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
VMware - Sound Card (Views: 249)
VPS Hacked? I'm lost! (Views: 253)
Ircd Reseller Hosting? (Views: 231)