The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacked

Discussion in 'General Discussion' started by MscLimp, Jan 13, 2007.

  1. MscLimp

    MscLimp Active Member

    Joined:
    Mar 3, 2003
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Hey everyone,

    My servers were hacked today, using what I believe may be a large scale cPanel exploit.

    The user gained access to an account on each server, and was able to give it reseller priviledges with full root access. How you may ask? I found the following the cpanel logs:

    [removed]


    My servers are well secured, we have done and installed many security features to keep scripts from being exploited and the server hacked. Mod_security for example.

    Not to mention we also block port 2086 and 2087 using APF in order to keep such things from happening. We have to manually add IPs to to allow_list in order to acces WHM. Any ideas how this person might have gone through?

    I am baffled at this....!
     
    #1 MscLimp, Jan 13, 2007
    Last edited by a moderator: Jan 13, 2007
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    If you believe that you have been exploited through cPanel then you need to contact cPanel directly not post the details on these forums. So log a ticket with them or through your license provider and have them investigate.
     
  3. Nhojohl

    Nhojohl Well-Known Member

    Joined:
    Nov 28, 2006
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    16
    Apparently not...

    Anyway, enough of the criticism, you probably had a hole somewhere other than cPanel, either way you need to contact cPanel directly...
     
  4. MscLimp

    MscLimp Active Member

    Joined:
    Mar 3, 2003
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Found out the user was using WebShell.cgi through the cgi-bin of a user in order to execute the wwwact in the /scripts folder.

    Any ideas as to how to block WebShell.cgi ? Since it's running in CGI, it's very tricky...
     
  5. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    36
    Disable and do not offer jailshell if that is the root path. FTP is sufficient for any hosting client to manage things. Just my opinion and practice.
     
  6. LS_Drew

    LS_Drew Well-Known Member

    Joined:
    Feb 20, 2003
    Messages:
    187
    Likes Received:
    0
    Trophy Points:
    16
    As an admin, I'd REALLY like to see those logs that were removed. What does /scripts/wwwacct have to do with anything?
     
  7. electron33

    electron33 Well-Known Member

    Joined:
    Feb 24, 2004
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    16
    This doesn't stop users from uploading WebhShell via ftp and run shell commands. WebShell doesn't depend on WHM's shell manager, which is bad.
     
  8. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    This script is just one the new "backdoor" tools. r57shell, c99shell, and phpshell are also "backdoor" applications, designed to exploit a vulnerability in a system, and open it to future access by an attacker.
     
  9. MscLimp

    MscLimp Active Member

    Joined:
    Mar 3, 2003
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Andy,

    Is there any way to block these?

    We found out they used this WebShell script to view our config file for modernbill, and obtain the db user and pass, and then find the hash keys for the servers.
     
  10. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Do you have mod_security installed? If not I would definitely install it. If so, you might need to come up with a rule specifically for this problem. Check gotroot.com for some rulesets to start you off on the right foot.
     
  11. nader1

    nader1 Member

    Joined:
    Sep 12, 2006
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    OMG!

    This really sucks.

    I really depend on this community for advice for issues with my cPanel server. I admit I'm still novice at running my own server.

    Here is my situation.

    I only allow access to my webserver to business clients that I know in my industry, and only ones I've conducted business with for over a 6 months.

    Is there any specific warning signs that I can look for as a novice.
     
  12. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Hire someone to lock down your box and have them provide details of what to watch out for.
    Do daily chkrootkit scans, monitor your logs, look for new accounts, etc, etc
     
  13. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Add the following directive to Mod Security rules:

    SecFilterSelective THE_REQUEST "WebShell\.cgi"

    The problem here is that hackers may change the name of the file. Make sure that your server is hardened and secured.
     
  14. SonServers

    SonServers Well-Known Member

    Joined:
    Oct 24, 2001
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    6
    Cpanel runs as root, correct?

    Would removing reading and execution permission from everyone but root the files in /scripts adversely effect anything? Wouldn't that stop any shell scripts uploaded by "nobody" from executing any Cpanel scripts?

    Does anyone other than root need to be able execute the scripts?
     
  15. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    find /scripts -perm 755 -exec chmod 750 {} \;

    Will make all your scripts only accessible by the root user. Give it a shot, I'm not sure if this will negatively affect cPanel/WHM or not.
     
  16. Zion Ahead

    Zion Ahead Well-Known Member

    Joined:
    Nov 10, 2006
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    This messed up my frontpage extensions. How do I reverse this command?
     
  17. katmai

    katmai Well-Known Member

    Joined:
    Mar 13, 2006
    Messages:
    526
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brno, Czech Republic
    i see like 4 5 people asking now for stuff. remember a few things.

    IF YOUR SERVER IS OK DO NOT MAKE EXTRA CONFIGS WITHOUT NOT KNOWING WHAT YOU DO.


    first somes testing , then comes passing the production stuff to customers. geez.


    And second of all this thread's name is totally wrong, there is no cpanel/whm exploit, the only way the haxorz gained access to your webserver is because you did not secure your box enough.

    third of all there is a ton of informations on this forum so you can harden, and configure your box even if you are a total novice. all problems have answers.

    fourth of all, yes if you really don't know what you're doing then hire an expert. they will do the job faster, and better.


    simple
     
  18. Zion Ahead

    Zion Ahead Well-Known Member

    Joined:
    Nov 10, 2006
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    stop preaching...no one wants to hear you


    Does anyone know how to correct the issue I mentioned?
     
  19. Murtaza_t

    Murtaza_t Well-Known Member

    Joined:
    Jan 24, 2005
    Messages:
    476
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Earth
    cPanel Access Level:
    Website Owner
    Try this:

    find /scripts -perm 750 -exec chmod 755 {} \;

    that will revert to what it was.
     
  20. Kelmas

    Kelmas Well-Known Member

    Joined:
    Nov 6, 2006
    Messages:
    121
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lithuania
    As I saw in cPanel's file owners, there are not only root, cpanel is also there.
     
Loading...
Similar Threads - Hacked
  1. xtronica
    Replies:
    9
    Views:
    658

Share This Page