The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hackers can gain access to Cpanel

Discussion in 'General Discussion' started by driverC, Mar 18, 2008.

  1. driverC

    driverC Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    112
    Likes Received:
    0
    Trophy Points:
    16
    Hi,

    apparently if hackers manage to execute a PHP script with user privileges (i.e. by running PHP as CGI) they are able to gain Cpanel access. They then log in and create email accounts and send fraudulent spam using Squirrel signatures.

    Example of a hacker logging in to Cpanel after executing an outdated (insecure) copy of OS Commerce with user privileges:

    41.219.209.3 - - [03/18/2008:02:46:22 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; S$
    41.219.209.3 - username [03/18/2008:02:46:46 -0000] "GET / HTTP/1.1" 301 0 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT$
    41.219.209.3 - username [03/18/2008:02:47:12 -0000] "GET /frontend/x3/index.html HTTP/1.1" 200 0 "" "Mozilla/4.0 (compatible$

    In the end of the lines it reads "Crazy Browser 2.0.1".

    This issue has also been described on Webhostingtalk.

    There seems to be a security issue in Cpanel that allows hackers that find an insecure script and that they can execute with user privileges to gain Cpanel access. The Nigeria Connection seems to have developed software for this. I am getting an abuse complaint from my DC about once every 2 days now and I see no way to fix this. There are like 1000 accounts hosted on the servers and hundreds of thousands of PHP scripts. Fixing all of them is impossible eventhough I am trying. I would just appreciate if Cpanel could fix this and prevent the Nigerian mafia from sending their fraudulent emails.
     
  2. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Are you sure they are getting cpanel access and not just root access to the server?. If there is an exploitable script on your machine that allows a user to get root access to create accounts they would not need to go to cpanel. Do you see them actually creating the email accounts in cpanel?. If they get root access then they can get cpanel access but if they already have root they dont need to go back to cpanel to fully control your machine.
     
  3. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    I'm not saying that this is not an issue that needs further investigation, but if users are running old and outdated scripts on their websites, what do they really expect anyway?

    There are reasons why scripts are updated and why some scripts are not looked upon very favorable, because they are security risks. Users that run scripts that are old and outdated should expect their website to be hacked.
     
  4. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA

    back in Sepetember I found 2 cases of this. I specifically remember the exact same crazy browser and remember them using the change pass on webmail.

    I dug and dug for a full day to figure the cause. It turned out a super simple password on the email box. In fact it was the word "password" and the other was "email" . The email user called me and complained that he was blocked via BFD and that his pop3 password would no longer work. I verified that the bot or hacker was using his webmail account to do batches of spam. I told the user to go back into cPanel and change back his password. 1 hour later a different IP was in his same account again and changed the password again and sending spam. I then decided to change the password to "guess_me" . The very next round of hits on that webmail account all failed access. I saw 3 attempts. I then changed the password to "password" and sure enough they were back in and doing spam business. I called the client and verified it was that simple password. changed it to something really easy to remember but much harder to guess and no more problems. If this has been a true exploit I really feel this would not stop them. and I verified the password with the client. I think there is a bot floating around ..checking port 995@address.com user:email@address.com pass:password .
     
  5. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    This drives me fricking insane. Just two days ago a customer couldn't remember his cpanel password and asked me to change it to "qwerty". I told him if I did that, to be sure to change it as soon as he got back in. He told me ALL of his passwords on other services are "qwerty" and nobody has ever hacked his other accounts, so why should he have to change it here.

    I reminded him that if he gets hacked we will shut his account off and not call him. Some people are really that stupid. I know a huge law firm that has ALL of its email accounts passwords set to "1234", just amazing.
     
  6. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    and 3-4 months ago is when I had this problem and is when I started begging Nick for some tools in cPanel to help clients and the WHM admin create better passwords. I would say, if you have looked at it lately ..I think they have done a fine job and just maybe in time these weak passwords we will have no more. You know in most cases all we need to do is add something simple to these things. I mean come on ..you know how much unlikely password_1 is to getting guessed than just "password" ? it doesn't take a whole lot to get much better. It's these qwerty and 1234 and password ones that kill me to. :(
     
  7. driverC

    driverC Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    112
    Likes Received:
    0
    Trophy Points:
    16
    Alright guys...this is not a password issue. After another account got hacked yesterday I changed the password to something really complicated like V9hy-N4ai7tG. I also changed the password of all email accounts (to something else). Today I found that the exact same hacker logged in again !! Without changing the password !! He logs in to webmail, changes the Squirrel signature and then sends spam to thousands of people.

    I ran RK Hunter and Chkrootkit and found nothing. No other traces of root access either. Nothing unusual on the server otherwise. To me it seems there is a way to bypass the Cpanel login when you have user access via a hacked PHP script. Maybe the hackers are creating a Cpanel session or something that let's them log in. I guess that is what they do...they have user privileges, create a Cpanel session and then steal this session browser wise and then they get Cpanel access ! It must be this way !
     
  8. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    change the email account password to something ..don't tell anyone. see if they get back in. don't enter it or put it anywhere in any email client. If they could bypass cpanel they would have access to all your email accounts by now.
     
  9. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Two things:

    1. Is your cPanel install fully up-to-date (running build 21703 at time of writing) ?

    2. Have you tracked down and removed the offending PHP script?

    Also, do what rpmws suggested, change the password and don't tell anyone, not even the user. Slight possibility, but the user's computer itself could be compromised with a key-logger or something similar (especially if access is from a public terminal).
     
    #9 cPanelKenneth, Mar 20, 2008
    Last edited: Mar 20, 2008
  10. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    change the cPanel and pop password.

    Something to remember ..if the hacker had root he would be doing all kinds of stuff to other accounts most likely.
     
  11. orudge

    orudge Member

    Joined:
    Oct 31, 2004
    Messages:
    14
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    United Kingdom
    I have been having similar problems, on a variety of accounts. Even with account passwords being changed, hackers still manage to be able to get in. The only slightly suspicious things I can see in the cPanel access logs are like the following:

    127.0.0.1 - - [04/28/2008:13:39:01 -0000] "POST /.__cpanel__service__check__./serviceauth HTTP/1.0" 200 0 "" ""

    My guess/assumption was that this was related to chkservd or similar, but I'm not entirely sure. Would this offer a backdoor into cPanel, and is there something on the machine that's likely to be calling it? chkrootkit didn't find anything, but it's quite possible (if not probable) that there's something nasty lurking somewhere. It's just trying to find what that is the problem.

    EDIT: I can't see any lines like this on any other cPanel machine I run. My suspicion is that this may be the backdoor they're using. I'm running C23809, but I had these problems on release builds for a month or so - I had to disable all webmail clients as a temporary "fix".

    EDIT #2: I also had various clients logging in with "Crazy Browser 2.0.1", as detailed in the first post.
     
    #11 orudge, May 2, 2008
    Last edited: May 2, 2008
  12. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    This is just a service check form chkservd. It is verifying the service running on the port is a legitimate cpanel service.
     
  13. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    nick you really need to make a tool to "change all account password on server NOW" and ask people 10 times if they are sure.

    also ..look at the shell manager. we need a button for disable ALL liek you have jail all and enable all. call these PANIC features ~!!!! LOL
     
  14. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,476
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Nice idea. Got to love a good old fashioned panic button when needed. :p

    Oh, and get some visine for that eye.. :D
     
  15. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    It must be large, red and flashing.

    For extra points, find a way to ship a physical button to all licensees with a nice flip cover. :D


    OK, off-topic.
     
  16. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA

    like that damn thing they use on the Staples office supply TV comercials!!! have it connect via WiFi and put on at the head desk at the web hosts main office, in my case next to my bed.

    Get slight wind of accounts being accesses ..BAM ..slam that button and lock everyone out!! LOL
     
Loading...

Share This Page