I got an email today about a list of pages being hacked on a friend’s server. The hacked page were all served from the /cgi-sys/movingpage.cgi
location and contained the title “Indonesian Hacker”, displayed the hacker’s name (hmei7) along with a random picture (in this case, Mr. Bean).
Unfortunately, I have no idea how it happened, but it according to the file modified date, this happened about 3 months ago. Any logs from then have since been rotated. It would seem as though they managed to edit the default template for the moving page. These can be edited via WHM and are stored in the /var/cpanel/webtemplates/ directory. In order to remove the hacked page, you’ll need to remove the altered templates from there.
I’d be interested if you happen to know how this was exploited exactly.