Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel Account compromised through cPanelID?

Discussion in 'Security' started by BSA Marketing, Jun 27, 2017.

  1. BSA Marketing

    BSA Marketing Registered

    Joined:
    Jun 27, 2017
    Messages:
    4
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hi,

    I recently had unauthorised content added to a site. The compromise was tracked down to an unauthorised user gaining access to upload files via the cpanel API. the login used apears to be via CpanelID.

    However:

    • Although CPanel ID was enabled, no Ids were set up/Authorised to access the site
    • Only 1 user was set up on the account using a strong password, which I am confident was not compromised
    2 Questions:

    • Has anyone seen anything like this before?
    • Has anyone any idea how this person may have gained access
    Thanks in advance for any input
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,659
    Likes Received:
    1,428
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you provide the specific log entry that you are referring to (ensure to replace identifying information with examples)?

    Thank you.
     
  3. BSA Marketing

    BSA Marketing Registered

    Joined:
    Jun 27, 2017
    Messages:
    4
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    I am no expert on these but as far as I can see the following lines from the sessions log suggests a successful login

    (Note I have taken out all IPs and identifying info)

    Code:
    [2017-06-11    19:58:55    +0100]    info    [cpaneld]    0.0.0.0    NEW    username:chr_string1     "address=0.0.0.0,app=cpaneld,creator=domain,method=handle_form_login,path=form,possessed=0"                           
    [2017-06-11    19:58:56    +0100]    info    [cpaneld]    1.1.1.1    PURGE    username:chr_string1     badpass    [cookie    ip    check:    IP    address    has    changed]
                                                               
    [2017-06-11    19:59:02    +0100]    info    [cpaneld]    1.1.1.1    NEW    username:chr_string2       "address=1.1.1.1,app=cpaneld,creator=domain,method=handle_form_login,path=form,possessed=0"                           
    [2017-06-11    19:59:03    +0100]    info    [cpaneld]    0.0.0.0    PURGE    username:chr_string2     badpass    [cookie    ip    check:    IP    address    has    changed]
                                                               
    [2017-06-11    19:59:15    +0100]    info    [cpaneld]    0.0.0.0    NEW    username:chr_string3     "address=0.0.0.0,app=cpaneld,creator=domain,method=handle_form_login,path=form,possessed=0"                           
    [2017-06-11    20:04:03    +0100]    info    [cpaneld]    1.1.1.1    PURGE    username:chr_string3     badpass    [cookie    ip    check:    IP    address    has    changed]
    
    
    The attached file contains entries from the access log for the same period which seems to show files being uploaded via the json-api. (It would not let me save the message with these entries pasted into it.
     

    Attached Files:

  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,659
    Likes Received:
    1,428
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you open a support ticket using the link in my signature so we can take a closer look at the affected system?

    Thank you.
     
  5. BSA Marketing

    BSA Marketing Registered

    Joined:
    Jun 27, 2017
    Messages:
    4
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    I have raised a ticket
     
  6. BSA Marketing

    BSA Marketing Registered

    Joined:
    Jun 27, 2017
    Messages:
    4
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    First thing to say, it turns out it was not CpanelID that was to blame. It was a compromised password obtained as a result of insecure FTP transactions. 2 takeaways from this:

    1. Cpanel support is first rate, and the focus they put on getting to the bottom of this gives me confidence in the security of cpanel as a system
    2. Using FTP is dangerous as it is insecure! Use SFTP instead
     
    Infopro and cPanelMichael like this.
Loading...

Share This Page