Succesful WHM Root login (not me!)

[liberteh]

Hello,

I've been experiencing the following problems:

One of the sites I'm hosting had an vulnerability in one of the scripts. The exact script has/can not be found yet but the strange thing is:

The hackers seem to be able to install a shell on the users account. Then use this shell to gain access to WHM (without knowing the password).
CSF (cPanel firewall plugin) tells me this through e-mail.

I personally think there is a private exploit available for this, but I cannot be sure.

Can anyone tell me anything more? Does he gain full (root) access to WHM or does he just gain authentication access (without being in WHM)

The strange thing is: nothing has been changed or altered. I'm an experienced adminstrator. My server is pretty secured. And I know I never know for sure my machine is safe after the hacker has gained true access to it.

The only thing I can't get my finger behind is how they gain root access to WHM with running a webshell on an user account? (who is just a shared hosting user, not reseller or anything, no access to WHM.)

I can deliver all information if you want.

Please help me, this has happened twice now (same hacker probably) and I want to give my users a secure feeling (I suspended the vulnerable account until we find the malicious script)

[Infopro]

This is not free, but you might find it useful:
ConfigServer eXploit Scanner (cxs)

How do you know he's gaining root? What email is CSF sending you?

[liberteh]

Thanks for responding! I'm aware of that tool, but I will not look towards solutions for finding any exploits. I will restore the server back to when the user did not

Like I said, the user has not been in SSH. Only web related services (http and WHM.)

The e-mail:

Subject: lfd on <server>.pr0jects.nl: WHM root access alert from 188.123.173.4 (JO/Jordan/-)

Email body: Time: Thu Aug 19 15:04:14 2010 +0200
IP: 188.123.173.4 (JO/Jordan/-)

Bells and alarms started since we don't use root. (can't login to SSH with root from outside. Hacker doesn't try bcuz I see no entry's for his IP trying)

I stand by my suspicion that there is a 0day cPanel/WHM exploit available somewhere.

Can the cPanel crew please respond? I saw you looking at my thread....

[cpanelkenneth]

Please open a support ticket on the compromised system. If you already have, please PM me the ticket number.

Thank you.

[gvard]

Hello,

Did you look at WHM access logs to see what he did at the time he gained access?

[mohit]

can you check if the user in question has mysql username as root.
it may also be cpuser_root

if i am not mistaken some older version of csf reported remote mysql connection with user root as whm access alert.

I no longer have that OLD box where this happened else i would have tried to dig it for you.

[GaryT]

can you check if the user in question has mysql
if i am not mistaken some older version of csf reported remote mysql connection with user root as whm access alert.

You are correct, The CSF old version did this now blocks any new users with root name.

To be honest if I got an email where someone logged in as root and I know it wasent me, Id probably have heart attack.

Either go by what the cPanel pros say or completly disable root via SSH, Make sure its set to JAIL for all accounts. Make a new wheel group with a new user for extra protection.

Install CHKRootKit and Rootkit Hunter as this will help alot to find and remove the malicious script.