Hi All,
One of our webhosts has come under attack recently by the same person. They have done the following on 6 cpanel accounts in the past week:
- Reset zone file back to defaults
- Add MX record pointing to amazonAWS
- Add CNAME records for amazonSES dkim
- Add TXT record for amazon proof of domain control
- Sends test emails from the cpanel account to themselves: [email protected]
At the moment I've been tracking /var/log/exim_mainlog to see emails to rocketmail - that way I know the account has been breached. Then I am restoring from a daily jetbackup and changing the cpanel password.
I've been unable to determine the method of attack that they are doing. My going theory is that they are either exploiting CMS or website form vulnerabilities and using that to somehow gain access to cpanel, but what I have found today is that I haven't received a password change notification for the cpanel account like I normally would - so whatever they're doing it's not involving a password reset.
I've attempted to comb through /usr/local/cpanel/logs/access_log to see what pages they were visiting, I can see a lot of email attempts but it's very difficult to work through these logs, even around the time period that exim_mainlog says an email went out.
This WHM has been hit previously by AnonymousFox attacks which exploit CMS vulnerabilites to reset cpanel passwords but I have disabled the abilities for users to reset their passwords as of 3 weeks ago, which has ruled out that method of infection.
The WHM runs on cloudlinux 7.9, WHM v96.0.9 and has imunify360 and kernelcare running. No threats have been picked up for this particular cpanel account.
The part that makes this extra annoying for us is the lack of cpanel auditing features - I'm unable to find a way to audit Zone file changes, or just general auditing of what a user account is doing, like you would be able to view in ausearch.
The extra extra annoying part is that our customer's domains are usually authorative on this server so the resetting of the zone file will stop their mail from working until we fix it. This server has DNS bind clustering configured to 2 other WHM server's. I am thinking of moving customers with authorative DNS to another service such as cloudflare to reduce the impact of this attack unless I can definitively work out how we are being attacked. It is nice to have DNS + Website centralized for ease of access though.
Any assistance would be appreciated.
- Cameron
One of our webhosts has come under attack recently by the same person. They have done the following on 6 cpanel accounts in the past week:
- Reset zone file back to defaults
- Add MX record pointing to amazonAWS
- Add CNAME records for amazonSES dkim
- Add TXT record for amazon proof of domain control
- Sends test emails from the cpanel account to themselves: [email protected]
At the moment I've been tracking /var/log/exim_mainlog to see emails to rocketmail - that way I know the account has been breached. Then I am restoring from a daily jetbackup and changing the cpanel password.
Code:
2021-06-05 07:12:26 1lpHa2-001KlD-Tx <= [email protected] H=sonic305-21.consmr.mail.gq1.yahoo.com [98.137.64.84]:40817 P=esmtps X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no S=6623 [email protected] T="test" for [email protected]I've attempted to comb through /usr/local/cpanel/logs/access_log to see what pages they were visiting, I can see a lot of email attempts but it's very difficult to work through these logs, even around the time period that exim_mainlog says an email went out.
This WHM has been hit previously by AnonymousFox attacks which exploit CMS vulnerabilites to reset cpanel passwords but I have disabled the abilities for users to reset their passwords as of 3 weeks ago, which has ruled out that method of infection.
The WHM runs on cloudlinux 7.9, WHM v96.0.9 and has imunify360 and kernelcare running. No threats have been picked up for this particular cpanel account.
The part that makes this extra annoying for us is the lack of cpanel auditing features - I'm unable to find a way to audit Zone file changes, or just general auditing of what a user account is doing, like you would be able to view in ausearch.
The extra extra annoying part is that our customer's domains are usually authorative on this server so the resetting of the zone file will stop their mail from working until we fix it. This server has DNS bind clustering configured to 2 other WHM server's. I am thinking of moving customers with authorative DNS to another service such as cloudflare to reduce the impact of this attack unless I can definitively work out how we are being attacked. It is nice to have DNS + Website centralized for ease of access though.
Any assistance would be appreciated.
- Cameron
Last edited:
