Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Block 'unprotected' password change

Discussion in 'Security' started by Mugoma, Apr 21, 2017.

  1. Mugoma

    Mugoma Well-Known Member

    Joined:
    Aug 1, 2016
    Messages:
    74
    Likes Received:
    4
    Trophy Points:
    8
    Location:
    Nairobi
    cPanel Access Level:
    Root Administrator
    Hello,

    Recently we had user accounts being compromised. We we checked the logs we found the hacker calling `/unprotected/passwordstrength.cgi`:
    Code:
    41.251.163.205 - - [04/21/2017:15:19:29 -0000] "POST /unprotected/passwordstrength.cgi HTTP/1.1" 200 0 "http://www.domain.com:2082/resetpass" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" "-" 2082
    41.251.163.205 - - [04/21/2017:15:19:30 -0000] "POST /unprotected/passwordstrength.cgi HTTP/1.1" 200 0 "http://www.domain.com:2082/resetpass" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" "-" 2082
    41.251.163.205 - - [04/21/2017:15:19:30 -0000] "POST /unprotected/passwordstrength.cgi HTTP/1.1" 200 0 "http://www.domain.com:2082/resetpass" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" "-" 2082
    41.251.163.205 - - [04/21/2017:15:19:30 -0000] "POST /unprotected/passwordstrength.cgi HTTP/1.1" 200 0 "http://www.domain.com:2082/resetpass" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" "-" 2082
    41.251.163.205 - - [04/21/2017:15:19:30 -0000] "POST /unprotected/passwordstrength.cgi HTTP/1.1" 200 0 "http://www.domain.com:2082/resetpass" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" "-" 2082
    41.251.163.205 - - [04/21/2017:15:19:30 -0000] "POST /unprotected/passwordstrength.cgi HTTP/1.1" 200 0 "http://www.domain.com:2082/resetpass" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" "-" 2082
    
    
    How can block such calls?

    Thanks.
     
    #1 Mugoma, Apr 21, 2017
    Last edited by a moderator: Apr 21, 2017
  2. Mugoma

    Mugoma Well-Known Member

    Joined:
    Aug 1, 2016
    Messages:
    74
    Likes Received:
    4
    Trophy Points:
    8
    Location:
    Nairobi
    cPanel Access Level:
    Root Administrator
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,773
    Likes Received:
    313
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Those are all very old posts.

    You can disable “Reset Password for cPanel accounts” here:
    WebHost Manager »Server Configuration »Tweak Settings, System tab.

    When someone wants to reset password they'll see this:
    resetpassdisabled.png

    How to Reset a cPanel Account Password - cPanel Knowledge Base - cPanel Documentation

    You might also want to visit the Redirection tab and be sure that this option is on:
    Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs. Formerly known as “Always redirect to SSL/TLS”

    If you actually visit domain.com:2082/resetpass you'll note that you need to know the users username first, and then email address, so you can receive a security code via email, to actually change a password.


    Personally, I've never enabled the option for a user to reset a password on any server I've ever managed. Probably since/due to those old posts from 2004.

    The password reset option should be quite secure now though. Making sure cPHulk is enabled would surely block failed logins to the system.
     
  4. Mugoma

    Mugoma Well-Known Member

    Joined:
    Aug 1, 2016
    Messages:
    74
    Likes Received:
    4
    Trophy Points:
    8
    Location:
    Nairobi
    cPanel Access Level:
    Root Administrator
    Hello,

    We have noticed several attacks on cPanel that looks like exploits. The attacker first makes a call to change email then after that makes a call to change password:
    Code:
    
    105.158.175.133 - - [04/22/2017:20:13:33 -0000] "GET /unprotected/loader.html?random=Ew1riJmbh_utDf9f&goto_uri= HTTP/1.1" 200 0 "http://domain.com/cpanel" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" "-" "-" 2082
    105.158.175.133 - - [04/22/2017:20:13:33 -0000] "GET /unprotected/redirect.html?goto_uri= HTTP/1.1" 200 0 "http://domain.com:2082/unprotected/loader.html?random=Ew1riJmbh_utDf9f&goto_uri=" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" "-" "-" 2082
    105.158.175.133 - - [04/22/2017:20:13:36 -0000] "GET /unprotected/redirect.html?goto_uri= HTTP/1.1" 200 0 "http://domain.com:2082/unprotected/loader.html?random=Ew1riJmbh_utDf9f&goto_uri=" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" "-" "-" 2082
    105.158.175.133 - - [04/22/2017:20:13:36 -0000] "GET /unprotected/redirect.html?goto_uri= HTTP/1.1" 200 0 "http://domain.com:2082/unprotected/loader.html?random=Ew1riJmbh_utDf9f&goto_uri=" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" "-" "-" 2082
    
    Could this be a vulnerability in cPanel?

    This is also related to Block 'unprotected' password change
     
    #4 Mugoma, Apr 23, 2017
    Last edited by a moderator: Apr 23, 2017
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,773
    Likes Received:
    313
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Threads merged here.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,659
    Likes Received:
    1,428
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @Mugoma,

    Could you open a support ticket using the link in my signature so we can take a closer look at the logs on the affected system?

    Thank you.
     
  7. Mugoma

    Mugoma Well-Known Member

    Joined:
    Aug 1, 2016
    Messages:
    74
    Likes Received:
    4
    Trophy Points:
    8
    Location:
    Nairobi
    cPanel Access Level:
    Root Administrator
    Support ticket: 8416647
     
Loading...

Share This Page