Hackers can gain access to Cpanel

[driverC]

Hi,

apparently if hackers manage to execute a PHP script with user privileges (i.e. by running PHP as CGI) they are able to gain Cpanel access. They then log in and create email accounts and send fraudulent spam using Squirrel signatures.

Example of a hacker logging in to Cpanel after executing an outdated (insecure) copy of OS Commerce with user privileges:

41.219.209.3 - - [03/18/2008:02:46:22 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; S$
41.219.209.3 - username [03/18/2008:02:46:46 -0000] "GET / HTTP/1.1" 301 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT$
41.219.209.3 - username [03/18/2008:02:47:12 -0000] "GET /frontend/x3/index.html HTTP/1.1" 200 0 "" "Mozilla/4.0 (compatible$

In the end of the lines it reads "Crazy Browser 2.0.1".

This issue has also been described on Webhostingtalk.

There seems to be a security issue in Cpanel that allows hackers that find an insecure script and that they can execute with user privileges to gain Cpanel access. The Nigeria Connection seems to have developed software for this. I am getting an abuse complaint from my DC about once every 2 days now and I see no way to fix this. There are like 1000 accounts hosted on the servers and hundreds of thousands of PHP scripts. Fixing all of them is impossible eventhough I am trying. I would just appreciate if Cpanel could fix this and prevent the Nigerian mafia from sending their fraudulent emails.

[nyjimbo]

Are you sure they are getting cpanel access and not just root access to the server?. If there is an exploitable script on your machine that allows a user to get root access to create accounts they would not need to go to cpanel. Do you see them actually creating the email accounts in cpanel?. If they get root access then they can get cpanel access but if they already have root they dont need to go back to cpanel to fully control your machine.

[sparek-3]

Example of a hacker logging in to Cpanel after executing an outdated (insecure) copy of OS Commerce with user privileges:

I'm not saying that this is not an issue that needs further investigation, but if users are running old and outdated scripts on their websites, what do they really expect anyway?

There are reasons why scripts are updated and why some scripts are not looked upon very favorable, because they are security risks. Users that run scripts that are old and outdated should expect their website to be hacked.

[rpmws]

Hi,

apparently if hackers manage to execute a PHP script with user privileges (i.e. by running PHP as CGI) they are able to gain Cpanel access. They then log in and create email accounts and send fraudulent spam using Squirrel signatures.

Example of a hacker logging in to Cpanel after executing an outdated (insecure) copy of OS Commerce with user privileges:

41.219.209.3 - - [03/18/2008:02:46:22 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; S$
41.219.209.3 - username [03/18/2008:02:46:46 -0000] "GET / HTTP/1.1" 301 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT$
41.219.209.3 - username [03/18/2008:02:47:12 -0000] "GET /frontend/x3/index.html HTTP/1.1" 200 0 "" "Mozilla/4.0 (compatible$

In the end of the lines it reads "Crazy Browser 2.0.1".

This issue has also been described on Webhostingtalk.

There seems to be a security issue in Cpanel that allows hackers that find an insecure script and that they can execute with user privileges to gain Cpanel access. The Nigeria Connection seems to have developed software for this. I am getting an abuse complaint from my DC about once every 2 days now and I see no way to fix this. There are like 1000 accounts hosted on the servers and hundreds of thousands of PHP scripts. Fixing all of them is impossible eventhough I am trying. I would just appreciate if Cpanel could fix this and prevent the Nigerian mafia from sending their fraudulent emails.

back in Sepetember I found 2 cases of this. I specifically remember the exact same crazy browser and remember them using the change pass on webmail.

I dug and dug for a full day to figure the cause. It turned out a super simple password on the email box. In fact it was the word "password" and the other was "email" . The email user called me and complained that he was blocked via BFD and that his pop3 password would no longer work. I verified that the bot or hacker was using his webmail account to do batches of spam. I told the user to go back into cPanel and change back his password. 1 hour later a different IP was in his same account again and changed the password again and sending spam. I then decided to change the password to "guess_me" . The very next round of hits on that webmail account all failed access. I saw 3 attempts. I then changed the password to "password" and sure enough they were back in and doing spam business. I called the client and verified it was that simple password. changed it to something really easy to remember but much harder to guess and no more problems. If this has been a true exploit I really feel this would not stop them. and I verified the password with the client. I think there is a bot floating around ..checking port 995@address.com user:email@address.com passassword .

[nyjimbo]

It turned out a super simple password on the email box. In fact it was the word "password" and the other was "email" . The email user called me and complained that he was blocked via BFD and that his pop3 password would no longer work. .

This drives me fricking insane. Just two days ago a customer couldn't remember his cpanel password and asked me to change it to "qwerty". I told him if I did that, to be sure to change it as soon as he got back in. He told me ALL of his passwords on other services are "qwerty" and nobody has ever hacked his other accounts, so why should he have to change it here.

I reminded him that if he gets hacked we will shut his account off and not call him. Some people are really that stupid. I know a huge law firm that has ALL of its email accounts passwords set to "1234", just amazing.

[rpmws]

This drives me fricking insane. Just two days ago a customer couldn't remember his cpanel password and asked me to change it to "qwerty". I told him if I did that, to be sure to change it as soon as he got back in. He told me ALL of his passwords on other services are "qwerty" and nobody has ever hacked his other accounts, so why should he have to change it here.

I reminded him that if he gets hacked we will shut his account off and not call him. Some people are really that stupid. I know a huge law firm that has ALL of its email accounts passwords set to "1234", just amazing.

and 3-4 months ago is when I had this problem and is when I started begging Nick for some tools in cPanel to help clients and the WHM admin create better passwords. I would say, if you have looked at it lately ..I think they have done a fine job and just maybe in time these weak passwords we will have no more. You know in most cases all we need to do is add something simple to these things. I mean come on ..you know how much unlikely password_1 is to getting guessed than just "password" ? it doesn't take a whole lot to get much better. It's these qwerty and 1234 and password ones that kill me to.

[driverC]

Alright guys...this is not a password issue. After another account got hacked yesterday I changed the password to something really complicated like V9hy-N4ai7tG. I also changed the password of all email accounts (to something else). Today I found that the exact same hacker logged in again !! Without changing the password !! He logs in to webmail, changes the Squirrel signature and then sends spam to thousands of people.

I ran RK Hunter and Chkrootkit and found nothing. No other traces of root access either. Nothing unusual on the server otherwise. To me it seems there is a way to bypass the Cpanel login when you have user access via a hacked PHP script. Maybe the hackers are creating a Cpanel session or something that let's them log in. I guess that is what they do...they have user privileges, create a Cpanel session and then steal this session browser wise and then they get Cpanel access ! It must be this way !

[rpmws]

Alright guys...this is not a password issue. After another account got hacked yesterday I changed the password to something really complicated like V9hy-N4ai7tG. I also changed the password of all email accounts (to something else). Today I found that the exact same hacker logged in again !! Without changing the password !! He logs in to webmail, changes the Squirrel signature and then sends spam to thousands of people.

I ran RK Hunter and Chkrootkit and found nothing. No other traces of root access either. Nothing unusual on the server otherwise. To me it seems there is a way to bypass the Cpanel login when you have user access via a hacked PHP script. Maybe the hackers are creating a Cpanel session or something that let's them log in. I guess that is what they do...they have user privileges, create a Cpanel session and then steal this session browser wise and then they get Cpanel access ! It must be this way !

change the email account password to something ..don't tell anyone. see if they get back in. don't enter it or put it anywhere in any email client. If they could bypass cpanel they would have access to all your email accounts by now.

[cpanelkenneth]

Alright guys...this is not a password issue. After another account got hacked yesterday I changed the password to something really complicated like V9hy-N4ai7tG. I also changed the password of all email accounts (to something else). Today I found that the exact same hacker logged in again !! Without changing the password !! He logs in to webmail, changes the Squirrel signature and then sends spam to thousands of people.

I ran RK Hunter and Chkrootkit and found nothing. No other traces of root access either. Nothing unusual on the server otherwise. To me it seems there is a way to bypass the Cpanel login when you have user access via a hacked PHP script. Maybe the hackers are creating a Cpanel session or something that let's them log in. I guess that is what they do...they have user privileges, create a Cpanel session and then steal this session browser wise and then they get Cpanel access ! It must be this way !

Two things:

1. Is your cPanel install fully up-to-date (running build 21703 at time of writing) ?

2. Have you tracked down and removed the offending PHP script?

Also, do what rpmws suggested, change the password and don't tell anyone, not even the user. Slight possibility, but the user's computer itself could be compromised with a key-logger or something similar (especially if access is from a public terminal).

[rpmws]

Two things:

1. Is your cPanel install fully up-to-date (running build 21703 at time of writing) ?

2. Have you tracked down and removed the offending PHP script?

Also, do what rpmws suggested, change the password and don't tell anyone, not even the user. Simple possibility, but the user's computer itself could be compromised with a key-logger or something similar (especially if access is from a public terminal).

change the cPanel and pop password.

Something to remember ..if the hacker had root he would be doing all kinds of stuff to other accounts most likely.

[orudge]

I ran RK Hunter and Chkrootkit and found nothing. No other traces of root access either. Nothing unusual on the server otherwise. To me it seems there is a way to bypass the Cpanel login when you have user access via a hacked PHP script. Maybe the hackers are creating a Cpanel session or something that let's them log in. I guess that is what they do...they have user privileges, create a Cpanel session and then steal this session browser wise and then they get Cpanel access ! It must be this way !

I have been having similar problems, on a variety of accounts. Even with account passwords being changed, hackers still manage to be able to get in. The only slightly suspicious things I can see in the cPanel access logs are like the following:

127.0.0.1 - - [04/28/2008:13:39:01 -0000] "POST /.__cpanel__service__check__./serviceauth HTTP/1.0" 200 0 "" ""

My guess/assumption was that this was related to chkservd or similar, but I'm not entirely sure. Would this offer a backdoor into cPanel, and is there something on the machine that's likely to be calling it? chkrootkit didn't find anything, but it's quite possible (if not probable) that there's something nasty lurking somewhere. It's just trying to find what that is the problem.

EDIT: I can't see any lines like this on any other cPanel machine I run. My suspicion is that this may be the backdoor they're using. I'm running C23809, but I had these problems on release builds for a month or so - I had to disable all webmail clients as a temporary "fix".

EDIT #2: I also had various clients logging in with "Crazy Browser 2.0.1", as detailed in the first post.

[cpanelnick]

I have been having similar problems, on a variety of accounts. Even with account passwords being changed, hackers still manage to be able to get in. The only slightly suspicious things I can see in the cPanel access logs are like the following:

127.0.0.1 - - [04/28/2008:13:39:01 -0000] "POST /.__cpanel__service__check__./serviceauth HTTP/1.0" 200 0 "" ""

My guess/assumption was that this was related to chkservd or similar, but I'm not entirely sure. Would this offer a backdoor into cPanel, and is there something on the machine that's likely to be calling it? chkrootkit didn't find anything, but it's quite possible (if not probable) that there's something nasty lurking somewhere. It's just trying to find what that is the problem.

EDIT: I can't see any lines like this on any other cPanel machine I run. My suspicion is that this may be the backdoor they're using. I'm running C23809, but I had these problems on release builds for a month or so - I had to disable all webmail clients as a temporary "fix".

EDIT #2: I also had various clients logging in with "Crazy Browser 2.0.1", as detailed in the first post.

This is just a service check form chkservd. It is verifying the service running on the port is a legitimate cpanel service.

[rpmws]

This is just a service check form chkservd. It is verifying the service running on the port is a legitimate cpanel service.

nick you really need to make a tool to "change all account password on server NOW" and ask people 10 times if they are sure.

also ..look at the shell manager. we need a button for disable ALL liek you have jail all and enable all. call these PANIC features ~!!!! LOL

[Infopro]

Nice idea. Got to love a good old fashioned panic button when needed.

Oh, and get some visine for that eye..

[cpanelkenneth]

Nice idea. Got to love a good old fashioned panic button when needed.

Oh, and get some visine for that eye..

It must be large, red and flashing.

For extra points, find a way to ship a physical button to all licensees with a nice flip cover.


OK, off-topic.