Sl1k

Member
Feb 27, 2006
5
0
151


Hello,

I run cPanel on multiple servers, something has been happening and I am not sure what the cause can be.

I believe I am being exploited, but i cannot trace the source of what is happening.
What happens is the /home folder will get wiped clean all the data gets deleted, this has been happening to all servers, seems like it does its rounds month after month.

I am looking for a good way to be able to trace and essentially prevent this from happening.

Any insight would be greatly appreciated.

Sl1k:p
 

abused1

Member
Jan 19, 2003
24
0
151
We had the same thing happen on one of our boxes about same time you posted this today.

There's nothing in the logs......



If it was a cpanel exploit I'd think more of our boxes would be affected. What other details can you provide on this? You said it happens every month? Is this happening to all your boxes? A single box? It's happening every month?
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,462
25
473
Go on, have a guess
If you do not know what you are doing you need to either read up on server security (there's plenty of threads on this forum that talk about tracking down exploits) or hire a security specialist to investigate for you.

If you're aware of any unpatched security vulnerabilities in cPanel (and I cannot remember seeing a genuine one since the password reset via email one which was a very long time ago now) then you should inform cPanel immediately and directly.
 

abused1

Member
Jan 19, 2003
24
0
151
We very much know what we are doing. We manage over 1,000 servers. The affected box had grsecurity, latest kernal, phpsuex, latest apache, frontpage, all of it.... The box was not rooted since only cpanel users folders were affected and we see no signs to point otherwise. Not all accounts were affected only around 500 out of 700 accounts.


The same time it happened there was a jump with inbound traffic.

Everything were finding is pointing to a cpanel hole in 10.8.0 stable since this is the only box we had running this older version.


I highly doubt cpanel releases all of the exploits they find to the public.

We have contacted cpanel, and are hoping to get more information from other users in this forum with the same problem. If it's not a cpanel exploit it's something else, but either way there's a problem for us.
 
Last edited:

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,462
25
473
Go on, have a guess
Then you're better off working directly with cPanel, as, without posting more information about exactly what evidence you've found in the logs, no-one is going to have anything to compare to.

It also doesn't matter at all how secure you think your server is, if there's one vulnerable PHP or perl script on a client site then the whole server can be compromised with relative ease. If there was no root exploit, then that's probably the most likely access point.
 

abused1

Member
Jan 19, 2003
24
0
151
I think were all better off working togeather and determining what the victims have in common. So far we have two servers.


Cpanel isn't sure, and if it was in the logs I wouldn't be here.
 

pilot51198

Member
May 26, 2006
11
0
151
Sl1k said:


Hello,

I run cPanel on multiple servers, something has been happening and I am not sure what the cause can be.

I believe I am being exploited, but i cannot trace the source of what is happening.
What happens is the /home folder will get wiped clean all the data gets deleted, this has been happening to all servers, seems like it does its rounds month after month.

I am looking for a good way to be able to trace and essentially prevent this from happening.

Any insight would be greatly appreciated.

Sl1k:p
The only way I can conceive that anyone could delete the 'home' directory which is the root in front of the actual 'public_html' directory is NOT in cpanel. The way this is done is through FTP access or if file mananger of somekind is done through actual server cp 'root_access'.

What I think is actually happening is NOT Cpanel. But, someone is hacking through annoymous FTP access.

Here are the steps to disable 'Annoymous FTP' for (ALL ACCOUNTS):

If you are using someting like Virutuisol cp for server acess, click on FTP SETUP and check the box that says disable "FTP Annoymous Login Server"

If you are using WHM (Webhost Manager) which is made by Cpanel, then you can look in the FTP setup in there and check the box that disables Annoymous FTP.


You see what happens with allowing Annoymous login ftp is that anyone can with an ftp client of somekind enter your domains, and click the "Annoymous" button and it bypasses even passwords. This is especially true with Endora FTP or even Smart FTP. You NEVER allow annoymous even for your host customers or any accounts you setup on your servers. Disable this promptly as it is a very dangerous security risks.

Please let me know in the near future if this helps your current problem.

Cheers!
 

abused1

Member
Jan 19, 2003
24
0
151
We can eliminate this since user databases also are deleted which can't be done from ftp.
 

Sl1k

Member
Feb 27, 2006
5
0
151
pilot51198 said:
The only way I can conceive that anyone could delete the 'home' directory which is the root in front of the actual 'public_html' directory is NOT in cpanel. The way this is done is through FTP access or if file mananger of somekind is done through actual server cp 'root_access'.

What I think is actually happening is NOT Cpanel. But, someone is hacking through annoymous FTP access.

Here are the steps to disable 'Annoymous FTP' for (ALL ACCOUNTS):

If you are using someting like Virutuisol cp for server acess, click on FTP SETUP and check the box that says disable "FTP Annoymous Login Server"

If you are using WHM (Webhost Manager) which is made by Cpanel, then you can look in the FTP setup in there and check the box that disables Annoymous FTP.


You see what happens with allowing Annoymous login ftp is that anyone can with an ftp client of somekind enter your domains, and click the "Annoymous" button and it bypasses even passwords. This is especially true with Endora FTP or even Smart FTP. You NEVER allow annoymous even for your host customers or any accounts you setup on your servers. Disable this promptly as it is a very dangerous security risks.

Please let me know in the near future if this helps your current problem.

Cheers!

Thanks, I am going to try this out. Hopefully it will stop this.
I will update this thread once I have additional information or *hopefully* success.

Sl1k
 

pilot51198

Member
May 26, 2006
11
0
151
abused1 said:
We can eliminate this since user databases also are deleted which can't be done from ftp.
Then someon hacked the server then. Because, I don't see how they can with cpanel delete the root directory!
 

Sl1k

Member
Feb 27, 2006
5
0
151
I check it out and found that Anonymous FTP is disabled on every server as part of the standard build. So I am not sure what else could cause this.

Sl1k:p
 

abused1

Member
Jan 19, 2003
24
0
151
Sl1k what version of cpanel it this happening to you on? Also please read everything I wrote and answer. thanks!
 

StevenC

Well-Known Member
Jan 1, 2004
252
0
166
pilot51198 said:
Then someon hacked the server then. Because, I don't see how they can with cpanel delete the root directory!

Cpanel runs as the user root DUH


root 14471 0.0 2.2 11604 10096 ? S 22:59 0:00 cpsrvd - waiting for connections
 

abused1

Member
Jan 19, 2003
24
0
151
We figured out what happened...........



We discovered it happened after restoring a backup for a customer. All of the home directories actually ended up in the users that we were restoring. we are 100% sure this was not error on our part as we reviewed the entire command history. The sql for all the affected accounts was deleted.

Nothing looked out of the ordinary at first, but what was different about this restore was that it was a complete tar of the users directory. The user had Cpanel at their old host, and instead of using the full Cpanel account backup function, they apparently tar'd up the entire user directory for some reason. Some how during untar'ing, it executed some scripts, and also turned on shell access on the account.


It seemed to somehow work with phpmyadmin and the databases the user had imported to his account before we began restoring.
 

ServerNet

Member
Aug 19, 2004
12
0
151
I am every day looking at security issues, that has been nothing reported about this security hole which makes me believe that it doesn't exist at all!

Edit:
I didn't read the last post, ignore my message!