An account hosted on my VPS was recently breached. I've resolved the account level issues and am keeping a close eye on it. It appears to have been caused by a back door created through a free WordPress theme that one of the site users installed without my knowledge.
While I was thinking about server security and started poring over settings in WHM. Compiler Access has me a little stumped so I'm hoping someone here can help.
I've disabled compilers for unprivileged users but this link suggested that I go through the file and manually remove previously authorized unprivileged users.
https://docs.cpanel.net/whm/security-center/compiler-access/
When I logged in using SFTP, I verified that permissions of /usr/bin/gcc had been altered correctly. I then moved onto the group file check. I found two files on the server. One is /etc/group and the other is /etc/group-. The first question is, do I need both of those files?
I edited /etc/group to remove unprivileged user accounts that I no longer want to have access to compilers. The link posted above states, "If the compiler group contains a user without a corresponding cPanel account, someone modified the /etc/group file to add that user. " What I'm unable to determine through investigating this file is what the defaults should be. I've scoured the internet for an example and I cannot find one. I could make some educated guesses on what belongs there but I do not want to make it impossible to update my server software either through the normal cPanel update process or via root.
I'll post a list of cPanel accounts and also the contents of the /etc/group file as it stands at this time.
Accounts (22):
sarcasm
bessmccarty
bluedive
catisms
cbmark
conundru
deadlyda
discount
literalg
marjwyat
mildlymy
mlmmillionaire
p0intlesspursu1t
sdvfwdonations
sixbetz
goteam
sportsbe
thelegen
virtuall
vmnet
websitz2
westsideguild
/etc/group contents:
root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mem:x:8:
kmem:x:9:
wheel:x:10:
cdrom:x:11:
mail:x:12:
man:x:15:
dialout:x:18:
floppy:x:19:
games:x:20:
tape:x:30:
video:x:39:
ftp:x:50:
lock:x:54:
audio:x:63:
nobody:x:99:
users:x:100:
utmp:x:22:
utempter:x:35:
ssh_keys:x:999:
systemd-journal:x:190:
dbus:x:81:
saslauth:x:76:
mailnull:x:47:
smmsp:x:51:
avahi:x:70:
apache:x:48:
rpc:x:32:
slocate:x:21:
sshd:x:74:
named:x:25:
nscd:x:28:
screen:x:84:
tcpdump:x:72:
input:x:998:
systemd-bus-proxy:x:997:
systemd-network:x:996:
mailtrap:x:995:
dovecot:x:97:
dovenull:x:994:
mysql:x:993:
cpanel:x:201:cpanel
cpanelphpmyadmin:x:202:cpanelphpmyadmin
cpanelphppgadmin:x:203:cpanelphppgadmin
cpanelroundcube:x:204:cpanelroundcube
cpanelrrdtool:x:205:cpanelrrdtool
mailman:x:206:mailman
compiler:x:992:cpanel
cpanellogin:x:991:
cpaneleximfilter:x:990:
cpaneleximscanner:x:989:
cpanelconnecttrack:x:988:
cpses:x:987:
mysyslog:x:986:cpses,smmsp,cpanel,mail,rpc,named,dbus,daemon,mailnull,dovecot,mysql,dovenull
cpanelcabcache:x:985:cpanelcabcache
cpaneldemo:x:1042:
cpanelsuspended:x:1043:
printadmin:x:984:
cpanelanalytics:x:983:cpanelanalytics
cgred:x:982:
tss:x:59:
linksafe:x:981:mailman
Thank you, in advance, for your advice and attention.
While I was thinking about server security and started poring over settings in WHM. Compiler Access has me a little stumped so I'm hoping someone here can help.
I've disabled compilers for unprivileged users but this link suggested that I go through the file and manually remove previously authorized unprivileged users.
https://docs.cpanel.net/whm/security-center/compiler-access/
When I logged in using SFTP, I verified that permissions of /usr/bin/gcc had been altered correctly. I then moved onto the group file check. I found two files on the server. One is /etc/group and the other is /etc/group-. The first question is, do I need both of those files?
I edited /etc/group to remove unprivileged user accounts that I no longer want to have access to compilers. The link posted above states, "If the compiler group contains a user without a corresponding cPanel account, someone modified the /etc/group file to add that user. " What I'm unable to determine through investigating this file is what the defaults should be. I've scoured the internet for an example and I cannot find one. I could make some educated guesses on what belongs there but I do not want to make it impossible to update my server software either through the normal cPanel update process or via root.
I'll post a list of cPanel accounts and also the contents of the /etc/group file as it stands at this time.
Accounts (22):
sarcasm
bessmccarty
bluedive
catisms
cbmark
conundru
deadlyda
discount
literalg
marjwyat
mildlymy
mlmmillionaire
p0intlesspursu1t
sdvfwdonations
sixbetz
goteam
sportsbe
thelegen
virtuall
vmnet
websitz2
westsideguild
/etc/group contents:
root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mem:x:8:
kmem:x:9:
wheel:x:10:
cdrom:x:11:
mail:x:12:
man:x:15:
dialout:x:18:
floppy:x:19:
games:x:20:
tape:x:30:
video:x:39:
ftp:x:50:
lock:x:54:
audio:x:63:
nobody:x:99:
users:x:100:
utmp:x:22:
utempter:x:35:
ssh_keys:x:999:
systemd-journal:x:190:
dbus:x:81:
saslauth:x:76:
mailnull:x:47:
smmsp:x:51:
avahi:x:70:
apache:x:48:
rpc:x:32:
slocate:x:21:
sshd:x:74:
named:x:25:
nscd:x:28:
screen:x:84:
tcpdump:x:72:
input:x:998:
systemd-bus-proxy:x:997:
systemd-network:x:996:
mailtrap:x:995:
dovecot:x:97:
dovenull:x:994:
mysql:x:993:
cpanel:x:201:cpanel
cpanelphpmyadmin:x:202:cpanelphpmyadmin
cpanelphppgadmin:x:203:cpanelphppgadmin
cpanelroundcube:x:204:cpanelroundcube
cpanelrrdtool:x:205:cpanelrrdtool
mailman:x:206:mailman
compiler:x:992:cpanel
cpanellogin:x:991:
cpaneleximfilter:x:990:
cpaneleximscanner:x:989:
cpanelconnecttrack:x:988:
cpses:x:987:
mysyslog:x:986:cpses,smmsp,cpanel,mail,rpc,named,dbus,daemon,mailnull,dovecot,mysql,dovenull
cpanelcabcache:x:985:cpanelcabcache
cpaneldemo:x:1042:
cpanelsuspended:x:1043:
printadmin:x:984:
cpanelanalytics:x:983:cpanelanalytics
cgred:x:982:
tss:x:59:
linksafe:x:981:mailman
Thank you, in advance, for your advice and attention.
