cPanel exploited!

**Sl1k** · 05-28-2006 12:26 AM

Hello,

I run cPanel on multiple servers, something has been happening and I am not sure what the cause can be.

I believe I am being exploited, but i cannot trace the source of what is happening.
What happens is the /home folder will get wiped clean all the data gets deleted, this has been happening to all servers, seems like it does its rounds month after month.

I am looking for a good way to be able to trace and essentially prevent this from happening.

Any insight would be greatly appreciated.

Sl1k

**abused1** · 05-28-2006 07:37 AM

We had the same thing happen on one of our boxes about same time you posted this today.

There's nothing in the logs......

If it was a cpanel exploit I'd think more of our boxes would be affected. What other details can you provide on this? You said it happens every month? Is this happening to all your boxes? A single box? It's happening every month?

**abused1** · 05-28-2006 08:38 AM

What version of cpanel were you running? We believe 10.8.0 stable has holes.

**chirpy** · 05-28-2006 09:54 AM

If you do not know what you are doing you need to either read up on server security (there's plenty of threads on this forum that talk about tracking down exploits) or hire a security specialist to investigate for you.

If you're aware of any unpatched security vulnerabilities in cPanel (and I cannot remember seeing a genuine one since the password reset via email one which was a very long time ago now) then you should inform cPanel immediately and directly.

**abused1** · 05-28-2006 10:28 AM

We very much know what we are doing. We manage over 1,000 servers. The affected box had grsecurity, latest kernal, phpsuex, latest apache, frontpage, all of it.... The box was not rooted since only cpanel users folders were affected and we see no signs to point otherwise. Not all accounts were affected only around 500 out of 700 accounts.

The same time it happened there was a jump with inbound traffic.

Everything were finding is pointing to a cpanel hole in 10.8.0 stable since this is the only box we had running this older version.

I highly doubt cpanel releases all of the exploits they find to the public.

We have contacted cpanel, and are hoping to get more information from other users in this forum with the same problem. If it's not a cpanel exploit it's something else, but either way there's a problem for us.

**chirpy** · 05-28-2006 10:30 AM

Then you're better off working directly with cPanel, as, without posting more information about exactly what evidence you've found in the logs, no-one is going to have anything to compare to.

It also doesn't matter at all how secure you think your server is, if there's one vulnerable PHP or perl script on a client site then the whole server can be compromised with relative ease. If there was no root exploit, then that's probably the most likely access point.

**abused1** · 05-28-2006 11:27 AM

I think were all better off working togeather and determining what the victims have in common. So far we have two servers.

Cpanel isn't sure, and if it was in the logs I wouldn't be here.

**pilot51198** · 05-28-2006 12:02 PM

Originally Posted by Sl1k

Hello,

I run cPanel on multiple servers, something has been happening and I am not sure what the cause can be.

I believe I am being exploited, but i cannot trace the source of what is happening.
What happens is the /home folder will get wiped clean all the data gets deleted, this has been happening to all servers, seems like it does its rounds month after month.

I am looking for a good way to be able to trace and essentially prevent this from happening.

Any insight would be greatly appreciated.

Sl1k

The only way I can conceive that anyone could delete the 'home' directory which is the root in front of the actual 'public_html' directory is NOT in cpanel. The way this is done is through FTP access or if file mananger of somekind is done through actual server cp 'root_access'.

What I think is actually happening is NOT Cpanel. But, someone is hacking through annoymous FTP access.

Here are the steps to disable 'Annoymous FTP' for (ALL ACCOUNTS):

If you are using someting like Virutuisol cp for server acess, click on FTP SETUP and check the box that says disable "FTP Annoymous Login Server"

If you are using WHM (Webhost Manager) which is made by Cpanel, then you can look in the FTP setup in there and check the box that disables Annoymous FTP.

You see what happens with allowing Annoymous login ftp is that anyone can with an ftp client of somekind enter your domains, and click the "Annoymous" button and it bypasses even passwords. This is especially true with Endora FTP or even Smart FTP. You NEVER allow annoymous even for your host customers or any accounts you setup on your servers. Disable this promptly as it is a very dangerous security risks.

Please let me know in the near future if this helps your current problem.

Cheers!

**abused1** · 05-28-2006 12:46 PM

We can eliminate this since user databases also are deleted which can't be done from ftp.

**Sl1k** · 05-28-2006 12:54 PM

Originally Posted by pilot51198

The only way I can conceive that anyone could delete the 'home' directory which is the root in front of the actual 'public_html' directory is NOT in cpanel. The way this is done is through FTP access or if file mananger of somekind is done through actual server cp 'root_access'.

What I think is actually happening is NOT Cpanel. But, someone is hacking through annoymous FTP access.

Here are the steps to disable 'Annoymous FTP' for (ALL ACCOUNTS):

If you are using someting like Virutuisol cp for server acess, click on FTP SETUP and check the box that says disable "FTP Annoymous Login Server"

If you are using WHM (Webhost Manager) which is made by Cpanel, then you can look in the FTP setup in there and check the box that disables Annoymous FTP.

You see what happens with allowing Annoymous login ftp is that anyone can with an ftp client of somekind enter your domains, and click the "Annoymous" button and it bypasses even passwords. This is especially true with Endora FTP or even Smart FTP. You NEVER allow annoymous even for your host customers or any accounts you setup on your servers. Disable this promptly as it is a very dangerous security risks.

Please let me know in the near future if this helps your current problem.

Cheers!

Thanks, I am going to try this out. Hopefully it will stop this.
I will update this thread once I have additional information or *hopefully* success.

Sl1k

**pilot51198** · 05-28-2006 12:57 PM

Originally Posted by abused1

We can eliminate this since user databases also are deleted which can't be done from ftp.

Then someon hacked the server then. Because, I don't see how they can with cpanel delete the root directory!

**Sl1k** · 05-28-2006 01:14 PM

I check it out and found that Anonymous FTP is disabled on every server as part of the standard build. So I am not sure what else could cause this.

Sl1k

**abused1** · 05-28-2006 01:39 PM

Sl1k what version of cpanel it this happening to you on? Also please read everything I wrote and answer. thanks!

**Sl1k** · 05-28-2006 02:02 PM

the version im using is WHM 10.8.0 cPanel 10.8.2-R83

Sl1k

**StevenC** · 05-29-2006 09:28 AM

Originally Posted by pilot51198

Then someon hacked the server then. Because, I don't see how they can with cpanel delete the root directory!

Cpanel runs as the user root DUH

root 14471 0.0 2.2 11604 10096 ? S 22:59 0:00 cpsrvd - waiting for connections

LinkBack

Thread Tools

cPanel exploited!

Cpanel Server being exploited

cpanel formmail being exploited

Server exploited

Exploited Servers

Possibly Exploited