Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

cPanel jailshell being abused and causing downtime

Discussion in 'Security' started by Mugoma, Apr 24, 2017.

Tags:
  1. Mugoma

    Mugoma Well-Known Member

    Joined:
    Aug 1, 2016
    Messages:
    74
    Likes Received:
    4
    Trophy Points:
    8
    Location:
    Nairobi
    cPanel Access Level:
    Root Administrator
    Hello,

    This issue is first reported at cpanel uses jailshell for cron (problem) but no solution provided.

    We are running cPanel on CentOS 7.2 and since last week we see /usr/local/cpanel/bin/jailshell being abused by spammers.

    We see jailshell called many times pushing 100% CPU and RAM, and making server unusable.

    Code:
    Example email:
    
    # exim -Mvh 1d2bSf-0008UU-Uy
    1d2bSf-0008UU-Uy-H
    user 2341 993
    <user@server.com>
    1493030597 0
    -ident user
    -received_protocol local
    -aclc _outgoing_spam_scan 1
    1
    -body_linecount 5
    -max_received_linelength 51
    -auth_id user
    -auth_sender user@server.com
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -deliver_firsttime
    -local
    -spam_bar /
    -spam_score -0.0
    -spam_score_int 0
    -sender_set_untrusted
    XX
    1
    someusr@gmail.com
    
    202P Received: from user by server.com with local (Exim 4.89)
    (envelope-from <user@server.com>)
    id 1d2bSf-0008UU-Uy
    for someusr@gmail.com; Mon, 24 Apr 2017 12:43:20 +0200
    033* From: "(Cron Daemon)" <user>
    053F From: "(Cron Daemon)" <user@server.com>
    029T To: someusr@gmail.com
    045 Subject: Cron <user@simba2> php .php.php
    040 Content-Type: text/plain; charset=UTF-8
    031 Auto-Submitted: auto-generated
    017 Precedence: bulk
    036 X-Cron-Env: <XDG_SESSION_ID=196534>
    045 X-Cron-Env: <XDG_RUNTIME_DIR=/run/user/2341>
    031 X-Cron-Env: <LANG=en_US.UTF-8>
    046 X-Cron-Env: <MAILTO=someusr@gmail.com>
    052 X-Cron-Env: <SHELL=/usr/local/cpanel/bin/jailshell>
    034 X-Cron-Env: <HOME=/home/user>
    033 X-Cron-Env: <PATH=/usr/bin:/bin>
    031 X-Cron-Env: <LOGNAME=user>
    028 X-Cron-Env: <USER=user>
    052I Message-Id: <E1d2bSf-0008UU-Uy@server.com>
    038 Date: Mon, 24 Apr 2017 12:43:17 +0200
    039 X-OutGoing-Spam-Status: No, score=-0.0 
    
     
    #1 Mugoma, Apr 24, 2017
    Last edited by a moderator: Apr 24, 2017
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,367
    Likes Received:
    1,857
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The output you provided suggests the account setup cron jobs to send out SPAM email. This is similar to what can happen if an account uploads a PHP file and uses it to send out SPAM via the web server. You'd generally need to suspend the account, or remove the cron jobs and change the account password if the account's login credentials were compromised.

    You could also setup a /etc/cron.deny file and add the account username to the file if you want to block cron jobs for a specific account.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Mugoma

    Mugoma Well-Known Member

    Joined:
    Aug 1, 2016
    Messages:
    74
    Likes Received:
    4
    Trophy Points:
    8
    Location:
    Nairobi
    cPanel Access Level:
    Root Administrator
    There are no cron jobs for the user:

    # crontab -l -u user
    no crontab for user

    # cat /var/spool/cron/crontabs/user
    cat: /var/spool/cron/crontabs/user: No such file or directory

    So, what's happening is something other than cron jobs.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,367
    Likes Received:
    1,857
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Mugoma

    Mugoma Well-Known Member

    Joined:
    Aug 1, 2016
    Messages:
    74
    Likes Received:
    4
    Trophy Points:
    8
    Location:
    Nairobi
    cPanel Access Level:
    Root Administrator
    We have since terminated the affected accounts. So, it would be difficult to replicate the issue.

    But we'll still raise a ticket and see if we can restore scripts that were injected to send spam.
     
  6. Mugoma

    Mugoma Well-Known Member

    Joined:
    Aug 1, 2016
    Messages:
    74
    Likes Received:
    4
    Trophy Points:
    8
    Location:
    Nairobi
    cPanel Access Level:
    Root Administrator
    Support Request ID: 8409211
     
  7. Linux1155

    Linux1155 Registered

    Joined:
    Jan 24, 2018
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Québec, Canada
    cPanel Access Level:
    Website Owner
    Hi,
    On April 25th, 2017, Mugoma emitted a ticket of support ID '8409211' concerning a problem with one job cron.
    [​IMG]

    Mugoma Well-Known Member

    cPanelMichael said:
    You can post the ticket number here so we can update this thread with the outcome
    Support Request ID: 8409211

    #6 Mugoma, Apr 25, 2017

    I have the same problem and I would have liked knowing what is the result of this ticket that it was the final outcome to resolve the situation.

    Thank you.
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,367
    Likes Received:
    1,857
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Here's the response that solved the issue for that user:

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice