Found This in a free users webfolder

BartMan__X

Member
Aug 8, 2012
12
0
1
Houston, Texas, United States
cPanel Access Level
Website Owner
I Found This in the folder of a free user .. i forgot all about a cpanel free user signup script i had installed wayback
.. so anyway a user signed up yesterday and uploaded this script .. i cant tell if any harm has been done but it looks like the user could gain access to usernames and passwords at the least .. i decoded some of the base 64 code and says it installs a shell .. so what should i do now? im scanning the Entire VPS with Linux Malware Detect now and removing the signup script.
SCREENSHOT
View attachment 16261

SOURCE


- removed script code -
 

Attachments

Last edited by a moderator:

BartMan__X

Member
Aug 8, 2012
12
0
1
Houston, Texas, United States
cPanel Access Level
Website Owner
well you took the time to remove the code i posted and change the title of my post. ("Reason: no need to share code such as this" thats crap ! )
but didnt reply.
i think if the code was inspected by someone who knows what they are looking at they could tell me where to look for modified files
and such.
The Files Name was CPanelCrack.php and if you would like to see a copy of the code PM me.

i cant see getting much help here if the details of my post are removed ..

im about ready to dump CP all together!
 

Infopro

Well-Known Member
May 20, 2003
17,075
524
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
I'm sorry you feel that way.

cPanel cannot assist you with this sort of script, or a compromised server. You might want to hire someone from the AppCat located here:
Sys Admin Services | cPanel App Catalog

There is no need to share that file on this forum. A simple search for the name can find many variations of it, all of them, BAD NEWS.

The script scans for every single website config file on your server. If you went by the date that file was added to your server, one could assume that every account, and website, needs its password changed. Or more appropriately, restored from a safe backup, before that file was added to the server.

I'm no expert though, hence no need to reply. I am the one who edited your thread though, and will do it again too.

Sorry, but that's what I do.

Waiting on a forum reply to this sort of thing, is nuts. IMHO.

Good luck with this.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
BartMan, it's a rule of thumb to not post exploit code on web hosting / support forums.

Just because the file is called CPCrack does not mean cPanel is in any way responsible for the hack. 99.9% of these exploits are uploaded through either:

A. outdated CMS software, i.e. joomla 1.5 or wordpress installs with old/vulnerable plugins

B. CMS software with poor admin passwords, or

C. accounts with Weak FTP/cPanel passwords.

cPanel is not responsible for this; either you or the person who is the webmaster for that site is.

Now, all of that above would apply if this was a legitimate user whos site got "hacked." If you're offering free cPanel accounts, not to sound rude, but of COURSE someone is going to upload exploits and try to crack other passwords. You're just begging for it. Id advise you to get on a good secure cloudlinux setup that separates your users, so that when malicious users like this one inevitably sign up, they can't access other accounts on your server.
 

BartMan__X

Member
Aug 8, 2012
12
0
1
Houston, Texas, United States
cPanel Access Level
Website Owner
Well I never said cpanel was responsible or in someway obligated to help me with with this .. I asked for a little help with this and the important parts were later removed.
The response's I did get basically said buy something.
In the long run ill be saving
 

sahostking

Well-Known Member
May 15, 2012
403
29
78
Cape Town, South Africa
cPanel Access Level
Root Administrator
Twitter

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Well I never said cpanel was responsible or in someway obligated to help me with with this .. I asked for a little help with this and the important parts were later removed.
The response's I did get basically said buy something.
In the long run ill be saving
Sorry, internet is hard to understand peoples "tone" sometimes. As a security admin, the code of the script you found is actually not all that important, rather how it got there. You know how it got there and took care of that; honestly, terminating the account and running a maldet scan / password change on your remaining accounts would have probably been fine. No need to re-image. However, if you know how to manage a server without cPanel, you may as well save the money.