Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel jailshell being abused and causing downtime

Discussion in 'Security' started by Mugoma, Apr 24, 2017.

Tags:
  1. Mugoma

    Mugoma Well-Known Member

    Joined:
    Aug 1, 2016
    Messages:
    74
    Likes Received:
    4
    Trophy Points:
    8
    Location:
    Nairobi
    cPanel Access Level:
    Root Administrator
    Hello,

    This issue is first reported at cpanel uses jailshell for cron (problem) but no solution provided.

    We are running cPanel on CentOS 7.2 and since last week we see /usr/local/cpanel/bin/jailshell being abused by spammers.

    We see jailshell called many times pushing 100% CPU and RAM, and making server unusable.

    Code:
    Example email:
    
    # exim -Mvh 1d2bSf-0008UU-Uy
    1d2bSf-0008UU-Uy-H
    user 2341 993
    <user@server.com>
    1493030597 0
    -ident user
    -received_protocol local
    -aclc _outgoing_spam_scan 1
    1
    -body_linecount 5
    -max_received_linelength 51
    -auth_id user
    -auth_sender user@server.com
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -deliver_firsttime
    -local
    -spam_bar /
    -spam_score -0.0
    -spam_score_int 0
    -sender_set_untrusted
    XX
    1
    someusr@gmail.com
    
    202P Received: from user by server.com with local (Exim 4.89)
    (envelope-from <user@server.com>)
    id 1d2bSf-0008UU-Uy
    for someusr@gmail.com; Mon, 24 Apr 2017 12:43:20 +0200
    033* From: "(Cron Daemon)" <user>
    053F From: "(Cron Daemon)" <user@server.com>
    029T To: someusr@gmail.com
    045 Subject: Cron <user@simba2> php .php.php
    040 Content-Type: text/plain; charset=UTF-8
    031 Auto-Submitted: auto-generated
    017 Precedence: bulk
    036 X-Cron-Env: <XDG_SESSION_ID=196534>
    045 X-Cron-Env: <XDG_RUNTIME_DIR=/run/user/2341>
    031 X-Cron-Env: <LANG=en_US.UTF-8>
    046 X-Cron-Env: <MAILTO=someusr@gmail.com>
    052 X-Cron-Env: <SHELL=/usr/local/cpanel/bin/jailshell>
    034 X-Cron-Env: <HOME=/home/user>
    033 X-Cron-Env: <PATH=/usr/bin:/bin>
    031 X-Cron-Env: <LOGNAME=user>
    028 X-Cron-Env: <USER=user>
    052I Message-Id: <E1d2bSf-0008UU-Uy@server.com>
    038 Date: Mon, 24 Apr 2017 12:43:17 +0200
    039 X-OutGoing-Spam-Status: No, score=-0.0 
    
     
    #1 Mugoma, Apr 24, 2017
    Last edited by a moderator: Apr 24, 2017
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,128
    Likes Received:
    1,368
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The output you provided suggests the account setup cron jobs to send out SPAM email. This is similar to what can happen if an account uploads a PHP file and uses it to send out SPAM via the web server. You'd generally need to suspend the account, or remove the cron jobs and change the account password if the account's login credentials were compromised.

    You could also setup a /etc/cron.deny file and add the account username to the file if you want to block cron jobs for a specific account.

    Thank you.
     
  3. Mugoma

    Mugoma Well-Known Member

    Joined:
    Aug 1, 2016
    Messages:
    74
    Likes Received:
    4
    Trophy Points:
    8
    Location:
    Nairobi
    cPanel Access Level:
    Root Administrator
    There are no cron jobs for the user:

    # crontab -l -u user
    no crontab for user

    # cat /var/spool/cron/crontabs/user
    cat: /var/spool/cron/crontabs/user: No such file or directory

    So, what's happening is something other than cron jobs.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,128
    Likes Received:
    1,368
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  5. Mugoma

    Mugoma Well-Known Member

    Joined:
    Aug 1, 2016
    Messages:
    74
    Likes Received:
    4
    Trophy Points:
    8
    Location:
    Nairobi
    cPanel Access Level:
    Root Administrator
    We have since terminated the affected accounts. So, it would be difficult to replicate the issue.

    But we'll still raise a ticket and see if we can restore scripts that were injected to send spam.
     
  6. Mugoma

    Mugoma Well-Known Member

    Joined:
    Aug 1, 2016
    Messages:
    74
    Likes Received:
    4
    Trophy Points:
    8
    Location:
    Nairobi
    cPanel Access Level:
    Root Administrator
    Support Request ID: 8409211
     
Loading...

Share This Page