Security Issue...

[tAzMaNiAc]

Seems like ftp is being used to get into directories and upload DarkMailer. I can't find out how, but it only happens with one account each time on all my servers and then I find it and delete it.. Can anyone help me with some ideas?

New bug or root exploit?

Example:

Wed Mar 21 13:33:36 2007 3 12.218.85.204 3680 /home/xxxxx/public_html/cgi-bin/news/upload/from.txt a _ i r xxxxx ftp 1 * c
Wed Mar 21 13:33:40 2007 0 12.218.85.204 626 /home/xxxxx/public_html/cgi-bin/news/upload/letter.txt a _ i r xxxxx ftp 1 * c
Wed Mar 21 13:33:42 2007 0 12.218.85.204 13 /home/xxxxx/public_html/cgi-bin/news/upload/replyto.txt a _ i r xxxxx ftp 1 * c
Wed Mar 21 13:33:49 2007 1 12.218.85.204 29 /home/xxxxx/public_html/cgi-bin/news/upload/subject.txt a _ i r xxxxx ftp 1 * c
Wed Mar 21 13:33:55 2007 1 12.218.85.204 1392 /home/xxxxx/public_html/cgi-bin/news/config.txt a _ i r xxxxx ftp 1 * c
Wed Mar 21 13:34:28 2007 29 12.218.85.204 250036 /home/xxxxx/public_html/cgi-bin/news/dm.cgi a _ i r xxxxx ftp 1 * c

[rs-freddo]

Maybe they have the username and password? Sometimes the simple answer is the solution.

[ramprage]

Its common that FTP accounts get brute forced. users use simple passwords like their username and such. Change the password on the account.

[tAzMaNiAc]

BUt there's no evidence of brute force... and they never come bac to the same account after i remove it.. \

[ahbao]

I have the same issues,

they login directly into the ftp and uploaded some files, still looking around...

[brianoz]

Perhaps this isn't much help with the actual issue, but have you looked at blocking the execution of DarkMailer with mod_security?

Interesting one this, as it sounds a bit like a cpanel exploit if the accounts are all different, although there's many other things they could have done to get in like this given enough time.

[ahbao]

yeah I have been putting keyword ban into mod_security , searching around for a solution though

thanks!

[JamesSmith]

This whole FTP account entry thing is entirely unsolved in my opinion.

The main thread regarding this is here: http://forums.cpanel.net/showthread.php?t=62821&page=4

[fich]

I am a custom of a web host that uses cPanel and have had this happen to me twice.

I posted some info here:
http://forums.cpanel.net/showthread.php?t=62821&page=6

Basically:
somebody/something uploaded a collection of phisihing sites to a directory on my vhost using FTP. There was no evidence of a brute force just logged straight in!
I have never logged in using FTP at all and always use https / port 2083 to log into cPanel. and I upload files using SFTP.

So on discovery of this the file where removed and I logged into cpanel using https/port 2083 and changed my password and logged out. I have never used the new password again and have never told anybody the password.
But a few days later the same thing happened.

I dont save passwords anywhere and I use linux so I feel comfortable that I dont have any malware installed.

Also as this appears to be affecting a number of different web hosts I highly doubt my password was captured.

[ahbao]

this actually starts to happen on my server since last year, it looks like they are able to get the cpanel password, aka ftp password. After that they just login to cpanel and ftp without any brute force

[fich]

This is very strange, but something I did notice was that when I did login to cpanel and went to the FTP accounts section it has ftp links in the format of ftp://user : pass@ftp.demo.com/demo.com

Which actually show your user password (when you hover over it).
Now I know to see this you would have to have been logged in but this means that the password must be stored somewhere in either plain text or reversible encryption!

Maybe this could this have anything to do with it?
Maybe a local file include exploit could grab this file or something?

Check yourself on the cpanel 10 demo at :
http://www.cpanel.net/products/cPane...try_cp_whm.htm

when logged in goto "FTP manager" then "FTP Accounts"

Near the bottom are some links to the ftp server, hover over one and it show the password.

[fich]

-- ignore this --

[daveformerlyof]

This is very strange, but something I did notice was that when I did login to cpanel and went to the FTP accounts section it has ftp links in the format of ftp://user : pass@ftp.demo.com/demo.com

Which actually show your user password (when you hover over it).
Now I know to see this you would have to have been logged in but this means that the password must be stored somewhere in either plain text or reversible encryption!

Maybe this could this have anything to do with it?
Maybe a local file include exploit could grab this file or something?

Check yourself on the cpanel 10 demo at :
http://www.cpanel.net/products/cPane...try_cp_whm.htm

when logged in goto "FTP manager" then "FTP Accounts"

Near the bottom are some links to the ftp server, hover over one and it show the password.

This will be different in cPanel 11. Please note that servers not running cPanel have been affected by this exploit as well so this is doubtful as the cause. Please send any relevant info to security AT cPanel .net


I'm going to lock this thread as there is already a discussion here: http://forums.cpanel.net/showthread.php?t=62821

[cpanelnick]

This is very strange, but something I did notice was that when I did login to cpanel and went to the FTP accounts section it has ftp links in the format of ftp://user : pass@ftp.demo.com/demo.com

Which actually show your user password (when you hover over it).
Now I know to see this you would have to have been logged in but this means that the password must be stored somewhere in either plain text or reversible encryption!

Maybe this could this have anything to do with it?
Maybe a local file include exploit could grab this file or something?

Check yourself on the cpanel 10 demo at :
http://www.cpanel.net/products/cPane...try_cp_whm.htm

when logged in goto "FTP manager" then "FTP Accounts"

Near the bottom are some links to the ftp server, hover over one and it show the password.

It pulls it out of the password your browser sent.

You can disable this in tweak settings.