Found This in a free users webfolder

[BartMan__X]

I Found This in the folder of a free user .. i forgot all about a cpanel free user signup script i had installed wayback
.. so anyway a user signed up yesterday and uploaded this script .. i cant tell if any harm has been done but it looks like the user could gain access to usernames and passwords at the least .. i decoded some of the base 64 code and says it installs a shell .. so what should i do now? im scanning the Entire VPS with Linux Malware Detect now and removing the signup script.
SCREENSHOT
View attachment 16261

SOURCE


- removed script code -

 

[BartMan__X]

well you took the time to remove the code i posted and change the title of my post. ("Reason: no need to share code such as this" thats crap ! )
but didnt reply.
i think if the code was inspected by someone who knows what they are looking at they could tell me where to look for modified files
and such.
The Files Name was CPanelCrack.php and if you would like to see a copy of the code PM me.

i cant see getting much help here if the details of my post are removed ..

im about ready to dump CP all together!

 

[Infopro]

I'm sorry you feel that way.

cPanel cannot assist you with this sort of script, or a compromised server. You might want to hire someone from the AppCat located here:
Sys Admin Services | cPanel App Catalog

There is no need to share that file on this forum. A simple search for the name can find many variations of it, all of them, BAD NEWS.

The script scans for every single website config file on your server. If you went by the date that file was added to your server, one could assume that every account, and website, needs its password changed. Or more appropriately, restored from a safe backup, before that file was added to the server.

I'm no expert though, hence no need to reply. I am the one who edited your thread though, and will do it again too.

Sorry, but that's what I do.

Waiting on a forum reply to this sort of thing, is nuts. IMHO.

Good luck with this.

 

[BartMan__X]

ok you can close this thread! i fixed it by re-imaging the vps and canceling my cpanel license.

best fix i could find. HAVE A NICE DAY!

 

[quizknows]

BartMan, it's a rule of thumb to not post exploit code on web hosting / support forums.

Just because the file is called CPCrack does not mean cPanel is in any way responsible for the hack. 99.9% of these exploits are uploaded through either:

A. outdated CMS software, i.e. joomla 1.5 or wordpress installs with old/vulnerable plugins

B. CMS software with poor admin passwords, or

C. accounts with Weak FTP/cPanel passwords.

cPanel is not responsible for this; either you or the person who is the webmaster for that site is.

Now, all of that above would apply if this was a legitimate user whos site got "hacked." If you're offering free cPanel accounts, not to sound rude, but of COURSE someone is going to upload exploits and try to crack other passwords. You're just begging for it. Id advise you to get on a good secure cloudlinux setup that separates your users, so that when malicious users like this one inevitably sign up, they can't access other accounts on your server.

 

[BartMan__X]

Well I never said cpanel was responsible or in someway obligated to help me with with this .. I asked for a little help with this and the important parts were later removed.
The response's I did get basically said buy something.
In the long run ill be saving

 

[sahostking]

Why not install things like Linux Maldetect which is free Linux Malware Detect | R-fx Networks

Although I think CXS is a bit better in my opinion by config server: ConfigServer eXploit Scanner (cxs)
Although there is a cost for the "better" product

Also if you had CageFS you would be far more secure.

 

[quizknows]

Well I never said cpanel was responsible or in someway obligated to help me with with this .. I asked for a little help with this and the important parts were later removed.
The response's I did get basically said buy something.
In the long run ill be saving

Sorry, internet is hard to understand peoples "tone" sometimes. As a security admin, the code of the script you found is actually not all that important, rather how it got there. You know how it got there and took care of that; honestly, terminating the account and running a maldet scan / password change on your remaining accounts would have probably been fine. No need to re-image. However, if you know how to manage a server without cPanel, you may as well save the money.