The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Freshly Changed Secure Password Hacked

Discussion in 'General Discussion' started by azoundria, Nov 24, 2009.

  1. azoundria

    azoundria Member

    Joined:
    Apr 28, 2007
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Hi All,

    So, I run free hosting, and so naturally you get to learn a fair bit about hacking and exploiting a cPanel/WHM/Linux server. But this one has me stumped.

    I'm only a reseller on the server, or otherwise I would have enabled PHPSuExec, and nobody with cPanel access would be able to upload whatever they wanted to my public_html directory. But that's not my concern.

    My concern is that someone, or something, got my 16 character random alphanumeric reseller password. (There are 4,178,511,850,022,702,569,647,809,560,576 possible combinations.) And they did so TWICE within 24 hours. (Two different random passwords without words of any sort.)

    The first time, I though 'Gee that's odd...' and got it changed. The second was different. I've now restored the site, but here's what it looked like:

    http://www.ismywall.com/exploited.html

    I DO NOT USE JOOMLA. THIS HAS NOTHING TO DO WITH JOOMLA.

    That displayed at the URL: http://www.ismywall.com/index.php (now restored)

    Upon further analysis, here's the PHP code in that file:

    Code:
    <?php
    $hashes=array();
    $i=0;
    $parts=explode(":",$_POST['hash']); 
    $hashes[$i][0]=$parts[0];   
    $hashes[$i][1]=$parts[1];
    
    if (ISSET($_POST['hash']))
    {
    $str = " ";
    echo "<font size=2 face=Verdana color=#FFFFFF><u>Started: </u>";
    echo date("F j, Y, g:i:s a");
    
    $lines = file('kamus2.txt');
    
    foreach ($lines as $line_num => $line) 
    {
    check($line); 
    }
    
    $lines = file('kamus1.txt');
    
    foreach ($lines as $line_num => $line) 
    {
    check($line);
    }
    
    echo "<br><font size=2 face=Verdana color=#FFFFFF><u>Finished : </u>";
    echo date("F j, Y, g:i:s a");
    
    }
    
    function check($a)
    {     
    global  $i;
    $a=rtrim($a) ;
    
    for($x=0;$x<=$i;$x++)
    {
    global  $hashes;
    
    if (md5($a.$hashes[$x][1]) === $hashes[$x][0])
    { 
    echo "<font size=2 face=Verdana color=#FFFFFF><br><br>Password asli dari :</font> <br><font size=2 face=Verdana color=#00FF00>$_POST[hash]<br> </font><font size=2 face=Verdana color=#FFFFFF>adalah : </font><font size=2 face=Verdana color=#00FF00><h1>$a</h1></font>"; 
    echo "<u>Ended: </u>";
    echo date("F j, Y, g:i:s a");
    }
    
    }
    		  
    }
    ?>
    The kamus1.txt and kamus2.txt are files with dictionary words. The whole thing was unzipped from a file 'brute.zip', and I have reuploaded it under a different name in case you wanted to take a full look:

    -removed-

    Now, the only other file that wasn't there before was this one:

    -removed-

    But it appears to be designed to launch under Windows. (Both files above are not named as originally named. brute.zip and reiluke_adminpagefinder.rar)

    So can anyone tell me how someone could get my cPanel/WHM password with this access? I am asking because maybe there is a new vulnerability in the cPanel/WHM or maybe it's an attack we can stop with proper server security.

    Looks to me to be brute force, and the file is designed to keep checking, but the dictionaries don't look like they'd match my password.
     
    #1 azoundria, Nov 24, 2009
    Last edited by a moderator: Nov 24, 2009
  2. d_t

    d_t Well-Known Member

    Joined:
    Sep 20, 2003
    Messages:
    243
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Bucharest
    First, ask your provider to check server log to see indeed if the files were uploaded on server with your user/pass. If so, you might have a virus on your computer that stole your password from FTP client or web browser and used it to upload that file on server.

    There's a new tool that prevent this on server-side: ConfigServer eXploit Scanner (cxs)

    Also, you should install a good antivirus on your computer (like Kaspersky Anti-Virus)
     
Loading...

Share This Page