cPanel jailshell being abused and causing downtime

Mugoma

Well-Known Member
Aug 1, 2016
74
4
8
Nairobi
cPanel Access Level
Root Administrator
Hello,

This issue is first reported at cpanel uses jailshell for cron (problem) but no solution provided.

We are running cPanel on CentOS 7.2 and since last week we see /usr/local/cpanel/bin/jailshell being abused by spammers.

We see jailshell called many times pushing 100% CPU and RAM, and making server unusable.

Code:
Example email:

# exim -Mvh 1d2bSf-0008UU-Uy
1d2bSf-0008UU-Uy-H
user 2341 993
<[email protected]>
1493030597 0
-ident user
-received_protocol local
-aclc _outgoing_spam_scan 1
1
-body_linecount 5
-max_received_linelength 51
-auth_id user
-auth_sender [email protected]
-allow_unqualified_recipient
-allow_unqualified_sender
-deliver_firsttime
-local
-spam_bar /
-spam_score -0.0
-spam_score_int 0
-sender_set_untrusted
XX
1
[email protected]

202P Received: from user by server.com with local (Exim 4.89)
(envelope-from <[email protected]>)
id 1d2bSf-0008UU-Uy
for [email protected]; Mon, 24 Apr 2017 12:43:20 +0200
033* From: "(Cron Daemon)" <user>
053F From: "(Cron Daemon)" <[email protected]>
029T To: [email protected]
045 Subject: Cron <[email protected]> php .php.php
040 Content-Type: text/plain; charset=UTF-8
031 Auto-Submitted: auto-generated
017 Precedence: bulk
036 X-Cron-Env: <XDG_SESSION_ID=196534>
045 X-Cron-Env: <XDG_RUNTIME_DIR=/run/user/2341>
031 X-Cron-Env: <LANG=en_US.UTF-8>
046 X-Cron-Env: <[email protected]>
052 X-Cron-Env: <SHELL=/usr/local/cpanel/bin/jailshell>
034 X-Cron-Env: <HOME=/home/user>
033 X-Cron-Env: <PATH=/usr/bin:/bin>
031 X-Cron-Env: <LOGNAME=user>
028 X-Cron-Env: <USER=user>
052I Message-Id: <[email protected]>
038 Date: Mon, 24 Apr 2017 12:43:17 +0200
039 X-OutGoing-Spam-Status: No, score=-0.0
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,218
463
Hello,

The output you provided suggests the account setup cron jobs to send out SPAM email. This is similar to what can happen if an account uploads a PHP file and uses it to send out SPAM via the web server. You'd generally need to suspend the account, or remove the cron jobs and change the account password if the account's login credentials were compromised.

You could also setup a /etc/cron.deny file and add the account username to the file if you want to block cron jobs for a specific account.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,218
463
Hello,

Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

Thank you.
 

Linux1155

Registered
Jan 24, 2018
1
0
1
Québec, Canada
cPanel Access Level
Website Owner
Hi,
On April 25th, 2017, Mugoma emitted a ticket of support ID '8409211' concerning a problem with one job cron.


Mugoma Well-Known Member

cPanelMichael said:
You can post the ticket number here so we can update this thread with the outcome
Support Request ID: 8409211

#6 Mugoma, Apr 25, 2017

I have the same problem and I would have liked knowing what is the result of this ticket that it was the final outcome to resolve the situation.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,218
463
Hello,

Here's the response that solved the issue for that user:

There isn't an option to disable the SHELL variable cPanel adds when creating a crontab through cPanel but you can add any users who you don't want to allow crons for to "/etc/cron.deny" then create a new feature list for those users and remove the "Cron Jobs" feature through 'WHM -> Packages -> Feature Manager' which would remove the "Cron Jobs" interface from cPanel.
Thank you.