caeos

Well-Known Member
Jul 18, 2007
79
0
56
UK
Some (but not all ) accounts on a shared host i looked at have this file
.cpanelinfo.php
whcih contains
Code:
<?php
/**
 * @package     Cpanel.Info
 *
 * @copyright   Copyright (C) 2013 cpanel.com All rights reserved.
 * @license     GNU General Public License version 2 or later
 */

$filter = @$_COOKIE['p3'];
if ($filter) { etc
is this a legitimate file or something else?
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
I don't see those files on the server I'm working on now, and they do not sound familiar. I could be wrong but I don't think it should be there.

What's the rest of the content of the file?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
Hello :)

This is not a file created or handled by the cPanel software. You may want to investigate it further to see if it's part of a third-party plugin that you have installed.

Thank you.
 

kazar01

Registered
Nov 2, 2013
2
0
1
cPanel Access Level
Root Administrator
Hi,

few days ago I've found .cpanelinfo.php files in all acounts public_html folders on the server. These files are malicious and can be used to execute shell commands on the server or modify users files! You can check this yourself using the following command:

Code:
curl -b "p3=system; p2=cat ///etc///passwd;;" yourdomain.com/.cpanelinfo.php
I advise you to remove/disable such files ASAP and reset server root password. On my server these files were uploaded via cPanel, so I have reset passwords for all cPanel accounts too.

Also I want to detect how attacker got access to 'root' account in cPanel and I have a question for cPanel staff: please check the part of logs below, did attacker use accesshash to log in WHM? Or root password was used ? Please advice.

Code:
5.34.177.110 - root [10/26/2013:21:23:25 -0000] "GET /json-api/listaccts HTTP/1.1" 200 0 "" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0" "-"
5.34.177.110 - root [10/26/2013:21:23:29 -0000] "GET /json-api/domainuserdata?domain=example.com.orig HTTP/1.1" 200 0 "" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0" "-"
...
5.34.177.110 - - [10/26/2013:21:27:08 -0000] "POST /login/ HTTP/1.1" 301 0 "" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0" "-"
5.34.177.110 - root [10/26/2013:21:27:10 -0000] "GET /cpsess3152952527/xfercpanel/camsuom HTTP/1.1"  0 "" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0" "-"
5.34.177.110 - - [10/26/2013:21:27:11 -0000] "GET /cpsess3152952527/login/?session=camsuom:n3xOvIITshqynmjtt69yYzAMG2UmZPbgPbS2bDWO4gmg5DXFBFRPH1vKH0_jYs9b,aab292dba48b85fa3b45f8540eb4938c1661c920a0c8a2aa83d04dbf687cb771^M HTTP/1.1" 301 0 "" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0" "-"
5.34.177.110 - camsuom [10/26/2013:21:27:12 -0000] "GET /cpsess3152952527/frontend/x3/index.html?post_login=71314175206959 HTTP/1.1" 200 0 "" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0" "-"
5.34.177.110 - camsuom [10/26/2013:21:27:17 -0000] "POST /cpsess3152952527/json-api/cpanel HTTP/1.1" 200 0 "" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0" "-"
 

caeos

Well-Known Member
Jul 18, 2007
79
0
56
UK
it has appeared on empty accounts. i though it was suspect and renamed it to .txt thanks so far,,. on to investigation