The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel exploited!

Discussion in 'General Discussion' started by Sl1k, May 28, 2006.

  1. Sl1k

    Sl1k Member

    Joined:
    Feb 27, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1


    Hello,

    I run cPanel on multiple servers, something has been happening and I am not sure what the cause can be.

    I believe I am being exploited, but i cannot trace the source of what is happening.
    What happens is the /home folder will get wiped clean all the data gets deleted, this has been happening to all servers, seems like it does its rounds month after month.

    I am looking for a good way to be able to trace and essentially prevent this from happening.

    Any insight would be greatly appreciated.

    Sl1k:p
     
  2. abused1

    abused1 Member

    Joined:
    Jan 19, 2003
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    We had the same thing happen on one of our boxes about same time you posted this today.

    There's nothing in the logs......



    If it was a cpanel exploit I'd think more of our boxes would be affected. What other details can you provide on this? You said it happens every month? Is this happening to all your boxes? A single box? It's happening every month?
     
  3. abused1

    abused1 Member

    Joined:
    Jan 19, 2003
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    What version of cpanel were you running? We believe 10.8.0 stable has holes.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    If you do not know what you are doing you need to either read up on server security (there's plenty of threads on this forum that talk about tracking down exploits) or hire a security specialist to investigate for you.

    If you're aware of any unpatched security vulnerabilities in cPanel (and I cannot remember seeing a genuine one since the password reset via email one which was a very long time ago now) then you should inform cPanel immediately and directly.
     
  5. abused1

    abused1 Member

    Joined:
    Jan 19, 2003
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    We very much know what we are doing. We manage over 1,000 servers. The affected box had grsecurity, latest kernal, phpsuex, latest apache, frontpage, all of it.... The box was not rooted since only cpanel users folders were affected and we see no signs to point otherwise. Not all accounts were affected only around 500 out of 700 accounts.


    The same time it happened there was a jump with inbound traffic.

    Everything were finding is pointing to a cpanel hole in 10.8.0 stable since this is the only box we had running this older version.


    I highly doubt cpanel releases all of the exploits they find to the public.

    We have contacted cpanel, and are hoping to get more information from other users in this forum with the same problem. If it's not a cpanel exploit it's something else, but either way there's a problem for us.
     
    #5 abused1, May 28, 2006
    Last edited: May 28, 2006
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Then you're better off working directly with cPanel, as, without posting more information about exactly what evidence you've found in the logs, no-one is going to have anything to compare to.

    It also doesn't matter at all how secure you think your server is, if there's one vulnerable PHP or perl script on a client site then the whole server can be compromised with relative ease. If there was no root exploit, then that's probably the most likely access point.
     
  7. abused1

    abused1 Member

    Joined:
    Jan 19, 2003
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    I think were all better off working togeather and determining what the victims have in common. So far we have two servers.


    Cpanel isn't sure, and if it was in the logs I wouldn't be here.
     
  8. pilot51198

    pilot51198 Member

    Joined:
    May 26, 2006
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    The only way I can conceive that anyone could delete the 'home' directory which is the root in front of the actual 'public_html' directory is NOT in cpanel. The way this is done is through FTP access or if file mananger of somekind is done through actual server cp 'root_access'.

    What I think is actually happening is NOT Cpanel. But, someone is hacking through annoymous FTP access.

    Here are the steps to disable 'Annoymous FTP' for (ALL ACCOUNTS):

    If you are using someting like Virutuisol cp for server acess, click on FTP SETUP and check the box that says disable "FTP Annoymous Login Server"

    If you are using WHM (Webhost Manager) which is made by Cpanel, then you can look in the FTP setup in there and check the box that disables Annoymous FTP.


    You see what happens with allowing Annoymous login ftp is that anyone can with an ftp client of somekind enter your domains, and click the "Annoymous" button and it bypasses even passwords. This is especially true with Endora FTP or even Smart FTP. You NEVER allow annoymous even for your host customers or any accounts you setup on your servers. Disable this promptly as it is a very dangerous security risks.

    Please let me know in the near future if this helps your current problem.

    Cheers!
     
  9. abused1

    abused1 Member

    Joined:
    Jan 19, 2003
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    We can eliminate this since user databases also are deleted which can't be done from ftp.
     
  10. Sl1k

    Sl1k Member

    Joined:
    Feb 27, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1

    Thanks, I am going to try this out. Hopefully it will stop this.
    I will update this thread once I have additional information or *hopefully* success.

    Sl1k
     
  11. pilot51198

    pilot51198 Member

    Joined:
    May 26, 2006
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Then someon hacked the server then. Because, I don't see how they can with cpanel delete the root directory!
     
  12. Sl1k

    Sl1k Member

    Joined:
    Feb 27, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    I check it out and found that Anonymous FTP is disabled on every server as part of the standard build. So I am not sure what else could cause this.

    Sl1k:p
     
  13. abused1

    abused1 Member

    Joined:
    Jan 19, 2003
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    Sl1k what version of cpanel it this happening to you on? Also please read everything I wrote and answer. thanks!
     
  14. Sl1k

    Sl1k Member

    Joined:
    Feb 27, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    the version im using is WHM 10.8.0 cPanel 10.8.2-R83


    Sl1k
     
  15. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16

    Cpanel runs as the user root DUH


    root 14471 0.0 2.2 11604 10096 ? S 22:59 0:00 cpsrvd - waiting for connections
     
  16. abused1

    abused1 Member

    Joined:
    Jan 19, 2003
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    We figured out what happened...........



    We discovered it happened after restoring a backup for a customer. All of the home directories actually ended up in the users that we were restoring. we are 100% sure this was not error on our part as we reviewed the entire command history. The sql for all the affected accounts was deleted.

    Nothing looked out of the ordinary at first, but what was different about this restore was that it was a complete tar of the users directory. The user had Cpanel at their old host, and instead of using the full Cpanel account backup function, they apparently tar'd up the entire user directory for some reason. Some how during untar'ing, it executed some scripts, and also turned on shell access on the account.


    It seemed to somehow work with phpmyadmin and the databases the user had imported to his account before we began restoring.
     
  17. ServerNet

    ServerNet Member

    Joined:
    Aug 19, 2004
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    I am every day looking at security issues, that has been nothing reported about this security hole which makes me believe that it doesn't exist at all!

    Edit:
    I didn't read the last post, ignore my message!
     
  18. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    He already answered that question! :rolleyes:
     
Loading...

Share This Page