The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cron to generate new remote access key

Discussion in 'Security' started by Jcats, Sep 23, 2015.

  1. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    275
    Likes Received:
    31
    Trophy Points:
    28
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Hello,

    This is a new one we've ran into today.

    We had a customer that was hacked, we are still unable to find out how initially but their cPanel account is a reseller. They were sending remote API commands to change all passwords on the cPanel accounts under the reseller. We found out in the access logs they were using the remote access key so we cleaned up the accounts and generated a new hash key. A day later same thing occurs, I just happened to been going through the access logs and noticed this:

    Code:
    206.190.158.75 - USER [09/22/2015:18:19:13 -0000] "GET /cpsess5668280899/json-api/cpanel?cpanel_jsonapi_version=2&cpanel_jsonapi_module=Cron&cpanel_jsonapi_func=add_line&minute=0&hour=0&day=1&month=*&weekday=*&command=php%20-q%20%2Fhome%2FUSER%2Ftmp%2Fcron.php&cache_fix=1442945927803 HTTP/1.1" 200 0 "https://server:2083/cpsess5668280899/frontend/x3/cron/index.html" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0" "-" "-"
    
    Right away, I checked the crons for that user and saw:

    0 0 1 * * php -q /home/USER/tmp/cron.php

    Sure enough, clever little guy:

    pastebin.com/PvbQmmRn

    I have yet to see this, been working heavily with cPanel for over 6 years, not sure if this is something new, but I figured I would share this with everyone if you are experiencing it and maybe see if cPanel can implement some way to counter this.

    Ill be happy to share any other info, but hopefully this will help others who are pulling their hair out, my eyes are bleeding from going through thousands of lines via the cpanel access logs.

    -Justin
     
    #1 Jcats, Sep 23, 2015
    Last edited by a moderator: Sep 24, 2015
    lx24 likes this.
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,694
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Thank you for taking the time to share this with others on the forum. The best way to address this issue is to determine how the account is getting hacked and take steps to prevent it from happening again. Is there a specific feature you feel would be helpful when this happens?

    Thank you.
     
  3. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    275
    Likes Received:
    31
    Trophy Points:
    28
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Well its your typical WP hack, out dated plugin, etc, I was merely just pointing out the way they were able to keep generating a new hash with a PHP script. I don't personally know what or if something could be put into place to prevent that, I figure I would just share and let you guys with the brains decipher if there is anything that can be done, if not, then at least others can be aware of the possibility.
     
    #3 Jcats, Sep 29, 2015
    Last edited: Sep 29, 2015
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Impressive hack to maintain access, thanks for sharing.
     
  5. lx24

    lx24 Member

    Joined:
    Oct 2, 2014
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    That's call eagle eye..Reading logs aint joke..
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,694
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    By default, resellers have privileges that allow them to setup a remote access key. One potential feature request you could open would be to include an option to limit the ability for resellers to setup remote access keys. That being said, in the meantime, for anyone that notices an account is hacked, it's always a good idea to review cron jobs configured for an account after it's been hacked in addition to any new files uploaded or changes made to existing files.

    Thank you.
     
Loading...

Share This Page