The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Dont know where to post this (E-Mail Exploit)

Discussion in 'E-mail Discussions' started by jetnet, Nov 15, 2007.

  1. jetnet

    jetnet Active Member

    Joined:
    Jun 30, 2004
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    We have a server configured from Chirpy's group (been working GREAT up until today), and today we have had multiple situations where accounts were (broken?) into, and e-mail accounts were created, and then used to spam people. So the question is, how are these people gaining access to cpanel to add users? I contacted these customers, and asked their passwords, and they were like HayS3p15. Hardly one that I think could be guessed. And we have the csf firewall set to block any body guessing passwords more than 3 times. And there have not been attempts to do that in some time.

    Any ideas? I will be glad to post log files, or anything else in here to help try and solve this problem / make everyone aware of a potential exploit.
     
  2. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    are the accounts that were used related in any way? same machine? same reseller? have you looked through the cpanel access logs to see if the same IP address did all the damage?
     
  3. jetnet

    jetnet Active Member

    Joined:
    Jun 30, 2004
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    The two accounts are NOT related in any way. One of them is one of our resellers accounts here in Texas, and the other is a friend of mine in Oregon.

    196.220.13.82 # SPAMMER
    202.80.123.86 # SPAMMER
    217.165.29.142 # SPAMMER
    217.165.31.125 # SPAMMER
    41.219.213.78 # SPAMMER
    41.219.219.175 # SPAMMER
    41.219.233.64 # SPAMMER
    80.89.180.177 # SPAMMER
    209.214.255.19 # SPAMMER
    82.128.14.123 # SPAMMER
    41.219.214.16 # SPAMMER
    41.211.245.120 # SPAMMER
    81.199.33.35 # SPAMMER
    41.211.245.2 # SPAMMER
    41.219.215.117 # SPAMMER
    41.219.249.28 # SPAMMER
    75.55.228.170 # SPAMMER
    80.89.180.12 # SPAMMER

    This is the list of the IPs that are doing the damage. I changed the passwords on both of those accounts, and again, this morning someone got into the accounts and added a new email account, and used it to SPAM out this morning.

    Here is a snippit from access_log ( I removed the username and the domain name):
     
  4. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    you need to search the entire logs everywhere fot those IPs and see if you can figure out what they first did.

    also to rule out a possible trojan or keylogger ..use a known clean PC and change the root, reseller and main passwords for the affected users. I would then open up a ton of sessions to watch those logs for the IPs that are doing the dirty work.
     
  5. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    As rpmws mentioned, a keylogger / trojan on some machine(s) that had access to those account credentials is the likely culprit.

    Not only do you need to change the passwords on those machines using a machine of yours that you know is not infected with anything, but then you'd have to contact your customer, notify them of the change in password, and instruct them to run a thorugh scan of their system for spyware/malware/trojans. And if your customers have given that login information out to anybody else (their web developer, their admin, etc.) then those people would also need to thoroughly scan their systems.

    Mike
     
  6. jetnet

    jetnet Active Member

    Joined:
    Jun 30, 2004
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Which log files should I check? Cause I looked through access_logs, login_log, apache logs, messages, and a few others.
     
  7. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,383
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    I am just going out on a limb here. The account may have had a script exploited that allowed malicious users to access and read PHP code on the account. If users are not creating separate MySQL username and password (with a password that is different from their main account password) then its not out of the realm of possibility that a hacker or script exploiter is reading the script configuration file. Determining the username and password for that account and then logging into the account's control panel and creating new mail users.

    Password strength and good script security cannot be ignored. End users are going to have to learn that it is imperative that they keep their scripts up-to-date or (at least in my opinion) they will have to be held accountable for any spam that is sent out through their account, even if the spam was sent out through a mail account that was created by a malicious user that gained access to the control panel via the insecurities in one of the user's script. Accountability has to be held somewhere.

    I'm not saying this is the case in this particular incident. I do know that I have seen users just create a MySQL database in their control panel, but they never create a new MySQL username and add access to that MySQL user to that MySQL database. Instead they just use the main account username and password, which also has access to the MySQL database.

    First and foremost, scripts need to be kept up-to-date. If this is not happening then you are exposing yourself to a lot of insecurities. Secondly, you need to configure the scripts so that should a script be exploited, the damage that is done through the exploit is limited.
     
  8. Bailey

    Bailey Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    120
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Wisconsin
    sparek-3, I was thinking the exact same thing. I have seen this happen in practice several times. It all comes down to keeping scripts patched/up-to-date.

    :D Bailey
     
  9. mohit

    mohit Well-Known Member

    Joined:
    Jul 12, 2005
    Messages:
    553
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sticky On Internet
    sparek-3 is 100% correct most of the time its a virus infected client, re-accessing everything from his infected system after password change and then yelling again that server is not secure and blah blah blah.

    in your case the affected end user should first make sure he is not infected, he should change his mail account password too where he is getting the new password cause someone may be silently spying his mail ID too.

    --
    mohit
     
  10. jetnet

    jetnet Active Member

    Joined:
    Jun 30, 2004
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Just to let you all know, after changing the passwords on all the accounts, and deleting all the mail bomb php scripts that he uploaded, I can attest that everything seems to be working again. After grilling the two clients, they both said that they had given their username and password to different web developers, and I can only assume thats where the problem was. I had them both scan their computer for key loggers and viruses, and neither one of them came up with anything.

    Anyways, I do think everyone for their comments, they helped get me in the right direction. As a result of this attack, I have written 5 aliases that help get the information I needed to track them down faster, as well as learned a ton about cpanel, and where and how all it logs everything.
     
Loading...

Share This Page