iframe / javascript hacks?

[MN-Robert]

Ok,

I'm wondering if anyone can perform the following when hacked and they have retrieved the hackers IP.

grep IP /usr/local/apache/domlogs/*

grep IP /usr/local/cpanel/logs/*

And see what it comes back with

[jerrek71]

There has been absolutely no (correct me if I am wrong) evidence that suggests anything was uploaded, injected or whatever through http or otherwise using similiar IP points ..not anything that jumps out.

My server was compromised, as pointed out earlier in the thread, by the attacker uploading defaced index.html files using the cPanel file manager and then hopping to the next account using the xfercpanel script. They did not touch FTP at any time to my knowledge and they certainly did not do the uploads using Pure or Pro FTP... Only the cPanel file manager.

Steve.

[rpmws]

My server was compromised, as pointed out earlier in the thread, by the attacker uploading defaced index.html files using the cPanel file manager and then hopping to the next account using the xfercpanel script. They did not touch FTP at any time to my knowledge and they certainly did not do the uploads using Pure or Pro FTP... Only the cPanel file manager.

Steve.

I think yours sounds like the old old RVSkin issue. Do you use RVSkin? or did you?

The majority of these in this thread are FTP login / logouts.

If it's true that some Ple*k boxes have seen a FTP only hack then I would say it would almost have to be either a terrible pro/pure ftpd issue OR a billing system hack. I don't use MB so I am not very familiar with it. I know it's a damn fine product from what people say. Keep in mind if there were such a "list" it could contain accounts that had been transferred between boxes, hosts ..all over. Depending how old that data is. Maybe there is a couple hackers somewhere that have been collecting all the login data over a few months and then compiling it ..some passwords they have work and some don't. It's not brute force. My problem is ..if they were to have root and crack the passwords in some way ..then why would many of those accounts they try fail to auth? unless they rooted the box long ago and some of the accounts have changed passwords since then. I just think if they had root-ish access they coudl run a simple perl or shell command and insert that code in all the index pages on the entire sever and get maximum inpact. why screw with FTP? I bet changing the FTP/account passwords fixes this. And if that's true then it's most likely NOT an ftp server exploit and most likely old plain text data that then becones stale once the login pass changes.

Seems I remember looking through my logs right after Christmas and I remember seeing modsec picked up some scans against a modernbill install i had installed years and years ago. It wqs just a testing install for me. It's been long gone now so the hits would have been 404's if the filters had not caught it in modsec. I didn't pay much attention becuase I don't use it now. But I want to say I then grepped the IP against my domlogs and I remember seeing that same IP hit all the domains that had the word "bill" in the domain or the URL ... including subdomains. like billing.your-host.com . It was clearly an attempt to exploit or at least find some sort of billing package. If may have nothing to do with MB ..but it was clearly a scan for billing software.

[rpmws]

I had MB at the time, but the affected account was not created in MB, nor was the password for it stored in MB.

is it possible that the same domain(s) was or were at some point in another hosts' billing system? When I get transfers from other hosts I fond that they often like to use a old familiar password and username for that matter. I always generate something like j8jdge4 for them.

I have been hosting since 1997' and a cpanel customer since 2000. I remeber way way back in the day, ..I used to host with Alabanza. They used to keep EVERYTHING in plain text on EVERY server in there master db servers for ALL their boxes. The same DSM system controlled all the boxes and stored all the data. Let's suppose that the master database with I bet a million domains were in were to get into the wrong hands. That company has lost more customers in the last 6 years then I can imagine. What if those old domain's passwords were still in use? Have you ever done this ..have a customer move to another host and then you find out by accident that they are using the same login at the new host? I just really think it's something like this. OR it's a script that is hitting domain/user/password and using the same password once to find some that work. Let's just think about this. If we were to compile a list of a few million domains and we assumed the first 8 charters were the username ..and then we used the word "password" for every FTP hit ..how many of those do you think we would get into? I bet we would get a ton and our efforts would be scattered around on different boxes everywhere. This is another way this would work.

[casey]

is it possible that the same domain(s) was or were at some point in another hosts' billing system? When I get transfers from other hosts I fond that they often like to use a old familiar password and username for that matter. I always generate something like j8jdge4 for them.

In this case, no. It was my site. Not my business site, but my personal site. It wasn't an easy to guess password and it was not stored in plain text anywhere as far as I know.

[rpmws]

In this case, no. It was my site. Not my business site, but my personal site. It wasn't an easy to guess password and it was not stored in plain text anywhere as far as I know.

and they got in using FTP regular login ..one try?

[rpmws]

In this case, no. It was my site. Not my business site, but my personal site. It wasn't an easy to guess password and it was not stored in plain text anywhere as far as I know.

is it possible that this account was EVER in another host's system with the same hard to guess password? maybe you were a reselelr at some point with another host prior to getting your own servers? or maybe you just had that one personal site a while back?

[gorilla]

rpmws, sorry to stop your detective work aiming at modernbill, but we dont use MB so its not through them

another train of though: has everybody enabled in WHM "Stats and Logs>Do not include password in the raw log download link in cPanel (via ftp)"
We have since disabled FP-extensions as well and chmoded the html-editor in cpanel to 000 (as this was an exploid a while ago as well)

[casey]

and they got in using FTP regular login ..one try?

The password had been changed. I don't know how they got in, though, because I didn't even notice the problem until the logs had been rotated. It was a personal blog that I update once every six months or so. I didn't even know anybody knew it existed other than family (no, no hackers in the family). There were several folders within that account, but only one was defaced (which just happened to be the one I check least often).

[rpmws]

rpmws, sorry to stop your detective work aiming at modernbill, but we dont use MB so its not through them

I wasn't aiming at MB ..i don't even think i mentioned it in my first post. It was brought up later. and we only mentioned it cause it's the most widely used.

If the accounts that you had that were hit were ever in a common system MB or not at any point with any host, reseller or anywhere else and that login data was not changed it still could be the case. All it would take is a insider of one of these big big hosts to get their hands on a master list of a couple million accounts and this problem could hit us all for years.

this post:
iframe / javascript hacks?

suggest to me since the authintication only fails once that it's either a list with known login data being used (some passwords have been changed) or it's the same password being tried over and over against all the domains/users on the system. They don't try the same user over and over again. Let's just think about this. Since this box ..iframe / javascript hacks? was hit with quite a few ..but not ALL usernames on his box ..what if that group of accounts that did pass login ..what if they were all on one reseller account at BIG BIG host at one point and were transferred? What I am getting at is I wonder if all the affected domains across all the server owners in this thread have a common or HAD a common host or billing system in common at any point in the past. It's obvious that not all the users are being hit in the attacks. were the users that did get hit part of a reseller? or come from the same hosting company at some point? could have been years and years ago. what if BIG BIG host went out of business and a million users went looking for all of us to host their sites ..and bad-employee of BIG host had a special "list" he decided to use later against plesk, cpanel, windows ..you name it ..any server those domains wind up on. I know it seems way out there .. but it would explain why some passwords work and some don't. If the guy got root he wouldn't be screweing with FTP and if he were wouldn't he hit them all? why is is sporatic and why is changing the password the solution to stop it? If it were a FTP exploit fo a cpanel exploit why would a password change stop it? I just really think its a plain text master "list" out there somehere that has SOME valid logins still on it.

[rpmws]

rpmws, sorry to stop your detective work aiming at modernbill, but we dont use MB so its not through them

another train of though: has everybody enabled in WHM "Stats and Logs>Do not include password in the raw log download link in cPanel (via ftp)"
We have since disabled FP-extensions as well and chmoded the html-editor in cpanel to 000 (as this was an exploid a while ago as well)

as you can see ..this is the first mention of modernbill.
iframe / javascript hacks?

I don't want anyone to think I have anything against modernbill at ALL. Just thinking outside the box.

[gorilla]

hi rpmws,
its ok, nobody is thinking that and you are generously trying to help out , without being affected by this issue


We always as well nominated the passwords for the new signups and disabled the password change option in cPanel, to stop people from simplifying there password choice as well

[rpmws]

hi rpmws,
its ok, nobody is thinking that and you are generously trying to help out , without being affected by this issue


We always as well nominated the passwords for the new signups and disabled the password change option in cPanel, to stop people from simplifying there password choice as well

thats what we do. Are you saying that you have some that were hit using FTP that were strong unchanged passwords? if that's the case then it almost has to be a server exploit of some type.

I am not even sure if I have been hit to be honest with you. No complaints from customers. I am going to do some searching today to make sure. index hunting I go....

[rpmws]

i just searched all my index.* in public_html
egrep iframe /home/*/public_html/index.*

just to get a quick return to see if any looked nasty and only got a few hits across 8 boxes and all were ligit iframes. So far so good for me ..knock on wood

[MN-Robert]

another train of though: has everybody enabled in WHM "Stats and Logs>Do not include password in the raw log download link in cPanel (via ftp)"

Yes we disabled this quite some time ago as the password was available in plain text.