cPanel jailshell being abused and causing downtime

[Mugoma]

Hello,

This issue is first reported at cpanel uses jailshell for cron (problem) but no solution provided.

We are running cPanel on CentOS 7.2 and since last week we see /usr/local/cpanel/bin/jailshell being abused by spammers.

We see jailshell called many times pushing 100% CPU and RAM, and making server unusable.

Example email:

# exim -Mvh 1d2bSf-0008UU-Uy
1d2bSf-0008UU-Uy-H
user 2341 993
<[email protected]>
1493030597 0
-ident user
-received_protocol local
-aclc _outgoing_spam_scan 1
1
-body_linecount 5
-max_received_linelength 51
-auth_id user
-auth_sender [email protected]
-allow_unqualified_recipient
-allow_unqualified_sender
-deliver_firsttime
-local
-spam_bar /
-spam_score -0.0
-spam_score_int 0
-sender_set_untrusted
XX
1
[email protected]

202P Received: from user by server.com with local (Exim 4.89)
(envelope-from <[email protected]>)
id 1d2bSf-0008UU-Uy
for [email protected]; Mon, 24 Apr 2017 12:43:20 +0200
033* From: "(Cron Daemon)" <user>
053F From: "(Cron Daemon)" <[email protected]>
029T To: [email protected]
045 Subject: Cron <[email protected]> php .php.php
040 Content-Type: text/plain; charset=UTF-8
031 Auto-Submitted: auto-generated
017 Precedence: bulk
036 X-Cron-Env: <XDG_SESSION_ID=196534>
045 X-Cron-Env: <XDG_RUNTIME_DIR=/run/user/2341>
031 X-Cron-Env: <LANG=en_US.UTF-8>
046 X-Cron-Env: <[email protected]>
052 X-Cron-Env: <SHELL=/usr/local/cpanel/bin/jailshell>
034 X-Cron-Env: <HOME=/home/user>
033 X-Cron-Env: <PATH=/usr/bin:/bin>
031 X-Cron-Env: <LOGNAME=user>
028 X-Cron-Env: <USER=user>
052I Message-Id: <[email protected]>
038 Date: Mon, 24 Apr 2017 12:43:17 +0200
039 X-OutGoing-Spam-Status: No, score=-0.0

 

[cPanelMichael]

Hello,

The output you provided suggests the account setup cron jobs to send out SPAM email. This is similar to what can happen if an account uploads a PHP file and uses it to send out SPAM via the web server. You'd generally need to suspend the account, or remove the cron jobs and change the account password if the account's login credentials were compromised.

You could also setup a /etc/cron.deny file and add the account username to the file if you want to block cron jobs for a specific account.

Thank you.

 

[Mugoma]

account setup cron jobs to send out SPAM email

There are no cron jobs for the user:

# crontab -l -u user
no crontab for user

# cat /var/spool/cron/crontabs/user
cat: /var/spool/cron/crontabs/user: No such file or directory

So, what's happening is something other than cron jobs.

 

[cPanelMichael]

Hello,

Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[Mugoma]

open a support ticket

We have since terminated the affected accounts. So, it would be difficult to replicate the issue.

But we'll still raise a ticket and see if we can restore scripts that were injected to send spam.

 

[Mugoma]

You can post the ticket number here so we can update this thread with the outcome

Support Request ID: 8409211

 

[Linux1155]

Hi,
On April 25th, 2017, Mugoma emitted a ticket of support ID '8409211' concerning a problem with one job cron.


Mugoma Well-Known Member

cPanelMichael said: ↑
You can post the ticket number here so we can update this thread with the outcome
Support Request ID: 8409211

#6 Mugoma, Apr 25, 2017

I have the same problem and I would have liked knowing what is the result of this ticket that it was the final outcome to resolve the situation.

Thank you.

 

[cPanelMichael]

Hello,

Here's the response that solved the issue for that user:

There isn't an option to disable the SHELL variable cPanel adds when creating a crontab through cPanel but you can add any users who you don't want to allow crons for to "/etc/cron.deny" then create a new feature list for those users and remove the "Cron Jobs" feature through 'WHM -> Packages -> Feature Manager' which would remove the "Cron Jobs" interface from cPanel.

Thank you.